Safeguard
Tag

software-supply-chain

Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.

526 articles

Open Source Security

The Real Cost of Delayed Patching in Open Source Components

Patches for open source flaws often exist for months before teams apply them. Here is what that patch lag actually costs in breaches, cleanup, and trust.

Aug 13, 20258 min read
Open Source Security

How Dependency Graphs Reveal Hidden Supply Chain Risk

Dependency graph analysis reveals which transitive packages can actually reach your code. From Log4Shell to the xz backdoor, see why flat scans miss what graphs catch.

Aug 12, 20258 min read
Compliance

License Compliance Debt: The Quiet Risk Growing Alongside...

Open source license debt is compounding as fast as CVE backlogs, but has no CVSS score, no patch, and no dashboard — until an audit, M&A deal, or lawsuit forces the issue.

Aug 12, 20257 min read
Open Source Security

The Long Tail of Abandoned Open Source Projects and Enter...

Abandoned open source packages sit quietly in enterprise SBOMs until a burned-out maintainer, a hijacked account, or a patient attacker turns them into the next supply chain incident.

Aug 12, 20257 min read
Open Source Security

What a Decade of Open Source Vulnerability Data Tells Us ...

CVEs grew sixfold in a decade. Here is what a decade of open source vulnerability trends reveals about ecosystem maturity, from Log4Shell to the xz backdoor.

Aug 11, 20258 min read
Open Source Security

Direct vs Transitive Vulnerabilities: Why the Distinction...

Most CVEs in your stack aren't in packages you chose — they're transitive. Here's why direct vs transitive vulnerabilities need different fixes and different priority.

Aug 11, 20258 min read
Open Source Security

The Economics of Free Riding in Open Source Security

Open source runs on unpaid labor while billion-dollar companies use it for free. Here's the economics behind Log4Shell, xz-utils, and the free rider problem.

Aug 10, 20258 min read
Open Source Security

Do Bug Bounties Actually Reduce Open Source Risk? An Inde...

Bug bounties didn't catch Log4Shell or the XZ Utils backdoor. An independent look at what OSS bounty programs actually cover — and where they structurally fall short.

Aug 9, 20257 min read
Application Security

How 'Vibe Coding' Culture Is Reshaping Application Securi...

AI-assisted "vibe coding" is reshaping how much code ships and how little of it gets truly reviewed. Here's what the data shows and how AppSec teams should respond.

Aug 8, 20257 min read
Industry Analysis

Do Code Review Practices Need to Change When Half the Cod...

AI now writes up to half of production code. Here is why traditional code review breaks down on AI output, and what teams need to change.

Aug 8, 20257 min read
Open Source Security

Hallucinated Dependencies: How AI Models Invent Package N...

AI coding assistants regularly invent package names that don't exist — and attackers are registering them first. Here's how slopsquatting works and how to defend against it.

Aug 7, 20257 min read
AI Security

Model Training Data and the Propagation of Insecure Codin...

LLM coding assistants inherit insecure patterns from their training data — from SQLi-prone snippets to hallucinated packages attackers exploit. Here's how the risk propagates.

Aug 7, 20258 min read
software-supply-chain (Page 39) — Safeguard Blog