software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
Immature Open Source Projects as a Supply Chain Risk
xz-utils, event-stream, node-ipc: a decade of supply chain incidents traces back to one root cause — thinly maintained, single-person open source projects.
License and Regulatory Risk in Open Source Components
Redis, HashiCorp, and Elastic all re-licensed core projects since 2021, and new rules like the EU Cyber Resilience Act now make license and SBOM gaps a regulatory problem.
Under/Oversized Dependency Risk in Modern Applications
Oversized dependency risk and fragile single-maintainer packages both widen your software supply chain attack surface. Here's how to spot and manage both.
Hardcoded Secrets in Source Code: Detection and Remediation
Hardcoded secrets in source code caused breaches at Toyota, Uber, and Samsung. Here's why developers keep doing it, how attackers exploit it, and how to fix it.
Insecure Hash Algorithm Usage in Application Code
MD5 and SHA-1 collisions were proven broken decades ago, yet they still power passwords, checksums, and signatures in production code today. Here's why—and how to find them.
Insecure Randomness in Security-Sensitive Code
A single deleted line broke Debian's OpenSSL keys for two years. We break down real insecure randomness vulnerabilities and how Safeguard catches weak PRNGs before attackers do.
Unrestricted File Upload Vulnerabilities
Unrestricted file upload flaws let attackers turn a simple upload form into remote code execution. Here's how real-world CVEs happened, and how to prevent them.
Insecure Temporary File Creation
Insecure temp file creation (CWE-377) still causes real CVEs today — from JUnit4 to npm's tmp package. Here's how the race condition works and how to stop it.
Spring4Shell (CVE-2022-22965) Deep Dive: RCE via Data Bin...
A technical breakdown of Spring4Shell (CVE-2022-22965): the data-binding RCE, affected Spring/Tomcat configurations, severity, timeline, and how to remediate and detect exposure.
SQL Injection Prevention in Java with PreparedStatement
Java teams still ship SQL injection bugs despite PreparedStatement being free and built into the JDK since 1997. Here is how it works and where it fails.
SQL Injection Prevention in Go with database/sql Prepared...
How Go's database/sql prepared statements prevent SQL injection, where developers still get it wrong with dynamic queries and ORMs, and how Safeguard catches these gaps in code review.
SQL Injection Prevention in PHP with Parameterized Queries
Parameterized queries stop SQL injection in PHP by separating code from data. Here's how PDO and MySQLi prepared statements work, and where they still fail.