Safeguard
Tag

software-supply-chain

Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.

526 articles

Open Source Security

Reconstructing a Real-World Dependency Confusion Incident...

A step-by-step reconstruction of a real dependency confusion attack, from malicious package upload to remediation, and how to defend your pipeline.

Jul 31, 20257 min read
DevSecOps

Why Automated Package Publishing Pipelines Are a Growing ...

From tj-actions to xz utils, attackers are hijacking CI/CD pipelines to poison packages at the source. Here's why publishing pipelines are the new frontline.

Jul 30, 20257 min read
Buyer's Guides

SBOM Format Wars: CycloneDX vs SPDX in Practice

CycloneDX and SPDX both claim to be "the" SBOM standard. Here's where they actually diverge on VEX support, license compliance, and government mandates — and which to pick.

Jul 30, 20257 min read
SBOM

Regulatory Pressure and the Uneven Global Adoption of SBOMs

SBOM mandates now span the US, EU, and Japan, but each uses different formats, deadlines, and penalties. Here's how the patchwork actually works.

Jul 29, 20258 min read
SBOM

VEX Documents: The Missing Context That Makes SBOMs Actio...

SBOMs list every component but stay silent on whether a CVE is actually exploitable. VEX documents supply that missing context — here's how the standard works.

Jul 29, 20257 min read
SBOM

Why Most SBOMs Go Stale the Day They're Generated

SBOMs decay the moment they're generated because dependency trees shift daily. Here's why point-in-time SBOMs fail during real incidents—and what continuous generation requires.

Jul 29, 20257 min read
SBOM

Federal Procurement Rules and Their Ripple Effect on Priv...

Federal rules from EO 14028 to FDA Section 524B and CMMC 2.0 have made SBOMs a procurement baseline — and the requirements are cascading into private-sector supply chains too.

Jul 28, 20257 min read
Open Source Security

Why Maintainer Burnout Is a Security Metric, Not Just an ...

The xz Utils backdoor started with a burned-out maintainer, not a zero-day. Here's why maintainer fatigue belongs in your supply chain risk model.

Jul 27, 20256 min read
Open Source Security

Corporate Dependence on Volunteer-Maintained Projects: A ...

Corporations run on code that volunteers maintain for free. Here's a data-backed risk map—from left-pad to the xz-utils backdoor—and how to manage it.

Jul 27, 20257 min read
Open Source Security

What Would It Actually Cost Companies to Fund Their Criti...

Heartbleed, Log4Shell, and the 2024 xz backdoor all trace back to unpaid maintainers. Here's what it would actually cost companies to fund the dependencies they depend on.

Jul 27, 20257 min read
Open Source Security

Security Training Gaps Among Solo Maintainers of High-Imp...

xz-utils, event-stream, and ua-parser-js show how single-maintainer projects lack the security training and support that high-impact infrastructure now demands.

Jul 26, 20257 min read
Open Source Security

Succession Planning for Open Source Projects: Why It Rare...

Most open source maintainers have no succession plan. That gap has already caused real incidents, from event-stream to XZ Utils, and it explains why.

Jul 26, 20257 min read
software-supply-chain (Page 41) — Safeguard Blog