Safeguard
Tag

software-supply-chain

Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.

526 articles

Open Source Security

Immature Open Source Projects as a Supply Chain Risk

xz-utils, event-stream, node-ipc: a decade of supply chain incidents traces back to one root cause — thinly maintained, single-person open source projects.

Nov 3, 20257 min read
Regulatory Compliance

License and Regulatory Risk in Open Source Components

Redis, HashiCorp, and Elastic all re-licensed core projects since 2021, and new rules like the EU Cyber Resilience Act now make license and SBOM gaps a regulatory problem.

Nov 2, 20258 min read
Open Source Security

Under/Oversized Dependency Risk in Modern Applications

Oversized dependency risk and fragile single-maintainer packages both widen your software supply chain attack surface. Here's how to spot and manage both.

Nov 2, 20257 min read
Industry Analysis

Hardcoded Secrets in Source Code: Detection and Remediation

Hardcoded secrets in source code caused breaches at Toyota, Uber, and Samsung. Here's why developers keep doing it, how attackers exploit it, and how to fix it.

Oct 31, 20258 min read
Industry Analysis

Insecure Hash Algorithm Usage in Application Code

MD5 and SHA-1 collisions were proven broken decades ago, yet they still power passwords, checksums, and signatures in production code today. Here's why—and how to find them.

Oct 31, 20257 min read
Industry Analysis

Insecure Randomness in Security-Sensitive Code

A single deleted line broke Debian's OpenSSL keys for two years. We break down real insecure randomness vulnerabilities and how Safeguard catches weak PRNGs before attackers do.

Oct 31, 20257 min read
Industry Analysis

Unrestricted File Upload Vulnerabilities

Unrestricted file upload flaws let attackers turn a simple upload form into remote code execution. Here's how real-world CVEs happened, and how to prevent them.

Oct 30, 20257 min read
Industry Analysis

Insecure Temporary File Creation

Insecure temp file creation (CWE-377) still causes real CVEs today — from JUnit4 to npm's tmp package. Here's how the race condition works and how to stop it.

Oct 30, 20257 min read
Vulnerability Analysis

Spring4Shell (CVE-2022-22965) Deep Dive: RCE via Data Bin...

A technical breakdown of Spring4Shell (CVE-2022-22965): the data-binding RCE, affected Spring/Tomcat configurations, severity, timeline, and how to remediate and detect exposure.

Oct 27, 20257 min read
Industry Analysis

SQL Injection Prevention in Java with PreparedStatement

Java teams still ship SQL injection bugs despite PreparedStatement being free and built into the JDK since 1997. Here is how it works and where it fails.

Oct 27, 20258 min read
Industry Analysis

SQL Injection Prevention in Go with database/sql Prepared...

How Go's database/sql prepared statements prevent SQL injection, where developers still get it wrong with dynamic queries and ORMs, and how Safeguard catches these gaps in code review.

Oct 26, 20258 min read
Industry Analysis

SQL Injection Prevention in PHP with Parameterized Queries

Parameterized queries stop SQL injection in PHP by separating code from data. Here's how PDO and MySQLi prepared statements work, and where they still fail.

Oct 26, 20258 min read
software-supply-chain (Page 30) — Safeguard Blog