software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
NIST SP 800-53 control mapping for AppSec
How NIST SP 800-53's SA, RA, and SR control families map to modern AppSec — and where legacy scanners like Veracode leave supply-chain evidence gaps.
SOC 2 Type II reporting for AppSec vendors and buyers
A SOC 2 Type II badge isn't enough due diligence for AppSec vendors. Here's what to actually check in the report—scope, exceptions, and subservice carve-outs—before you trust one.
Building Securely with AI (secure AI-assisted development)
AI coding assistants ship code fast — Veracode found 45% of AI-generated code contains security flaws. Here's what secure AI-assisted development actually requires.
AIBOM in 2026: Treating AI Models as a Software Supply Chain
The AI bill of materials is graduating from optional security artifact to procurement requirement. Here is what AIBOM/ML-BOM actually tracks in 2026, how it ties to the EU AI Act, and where it still falls short.
Black Hat USA 2026 Preview: Agentic AI Security Takes Mandalay Bay
A preview of Black Hat USA 2026 at Mandalay Bay, Aug 1-6. Why agentic AI security, the software supply chain, and post-quantum readiness are the threads to watch before the briefings begin.
Reachability-based vulnerability prioritization (Polaris ...
Reachability analysis cuts CVE noise by confirming which vulnerabilities are exploitable. Here's how Black Duck's Polaris reachability compares to Safeguard's pipeline-native approach.
What open source scans miss in M&A due diligence
Open source composition scans like Black Duck catch known packages and licenses — but M&A due diligence needs to catch what those scans miss too.
Agent hijacking: the real-world impact of prompt injection
From a zero-click Microsoft 365 Copilot breach to poisoned MCP servers, AI agent hijacking is now a real, documented software supply chain threat.
Can AI write secure code? Auditing AI-generated code
AI writes code fast, but studies from 2021 to 2025 show it also reproduces insecure patterns and invents fake dependencies. Here's what the data says.
Enterprise AppSec risk management at scale
Black Duck built its platform on decades of license-compliance SCA and acquired tools. Safeguard built a unified, reachability-aware supply-chain risk platform from day one.
How Copilot amplifies insecure codebases
Copilot writes ~46% of code where enabled, and studies show ~40% of its security-relevant suggestions are vulnerable. Here's the data on the risk.
AI-Generated Code Security: risks and controls
AI now writes up to 40%+ of new code, and models hallucinate nonexistent packages in 5-22% of outputs. Here's why Black Duck-style SCA misses that risk, and what controls actually work.