software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
The Real Cost of Delayed Patching in Open Source Components
Patches for open source flaws often exist for months before teams apply them. Here is what that patch lag actually costs in breaches, cleanup, and trust.
How Dependency Graphs Reveal Hidden Supply Chain Risk
Dependency graph analysis reveals which transitive packages can actually reach your code. From Log4Shell to the xz backdoor, see why flat scans miss what graphs catch.
License Compliance Debt: The Quiet Risk Growing Alongside...
Open source license debt is compounding as fast as CVE backlogs, but has no CVSS score, no patch, and no dashboard — until an audit, M&A deal, or lawsuit forces the issue.
The Long Tail of Abandoned Open Source Projects and Enter...
Abandoned open source packages sit quietly in enterprise SBOMs until a burned-out maintainer, a hijacked account, or a patient attacker turns them into the next supply chain incident.
What a Decade of Open Source Vulnerability Data Tells Us ...
CVEs grew sixfold in a decade. Here is what a decade of open source vulnerability trends reveals about ecosystem maturity, from Log4Shell to the xz backdoor.
Direct vs Transitive Vulnerabilities: Why the Distinction...
Most CVEs in your stack aren't in packages you chose — they're transitive. Here's why direct vs transitive vulnerabilities need different fixes and different priority.
The Economics of Free Riding in Open Source Security
Open source runs on unpaid labor while billion-dollar companies use it for free. Here's the economics behind Log4Shell, xz-utils, and the free rider problem.
Do Bug Bounties Actually Reduce Open Source Risk? An Inde...
Bug bounties didn't catch Log4Shell or the XZ Utils backdoor. An independent look at what OSS bounty programs actually cover — and where they structurally fall short.
How 'Vibe Coding' Culture Is Reshaping Application Securi...
AI-assisted "vibe coding" is reshaping how much code ships and how little of it gets truly reviewed. Here's what the data shows and how AppSec teams should respond.
Do Code Review Practices Need to Change When Half the Cod...
AI now writes up to half of production code. Here is why traditional code review breaks down on AI output, and what teams need to change.
Hallucinated Dependencies: How AI Models Invent Package N...
AI coding assistants regularly invent package names that don't exist — and attackers are registering them first. Here's how slopsquatting works and how to defend against it.
Model Training Data and the Propagation of Insecure Codin...
LLM coding assistants inherit insecure patterns from their training data — from SQLi-prone snippets to hallucinated packages attackers exploit. Here's how the risk propagates.