software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
Reconstructing a Real-World Dependency Confusion Incident...
A step-by-step reconstruction of a real dependency confusion attack, from malicious package upload to remediation, and how to defend your pipeline.
Why Automated Package Publishing Pipelines Are a Growing ...
From tj-actions to xz utils, attackers are hijacking CI/CD pipelines to poison packages at the source. Here's why publishing pipelines are the new frontline.
SBOM Format Wars: CycloneDX vs SPDX in Practice
CycloneDX and SPDX both claim to be "the" SBOM standard. Here's where they actually diverge on VEX support, license compliance, and government mandates — and which to pick.
Regulatory Pressure and the Uneven Global Adoption of SBOMs
SBOM mandates now span the US, EU, and Japan, but each uses different formats, deadlines, and penalties. Here's how the patchwork actually works.
VEX Documents: The Missing Context That Makes SBOMs Actio...
SBOMs list every component but stay silent on whether a CVE is actually exploitable. VEX documents supply that missing context — here's how the standard works.
Why Most SBOMs Go Stale the Day They're Generated
SBOMs decay the moment they're generated because dependency trees shift daily. Here's why point-in-time SBOMs fail during real incidents—and what continuous generation requires.
Federal Procurement Rules and Their Ripple Effect on Priv...
Federal rules from EO 14028 to FDA Section 524B and CMMC 2.0 have made SBOMs a procurement baseline — and the requirements are cascading into private-sector supply chains too.
Why Maintainer Burnout Is a Security Metric, Not Just an ...
The xz Utils backdoor started with a burned-out maintainer, not a zero-day. Here's why maintainer fatigue belongs in your supply chain risk model.
Corporate Dependence on Volunteer-Maintained Projects: A ...
Corporations run on code that volunteers maintain for free. Here's a data-backed risk map—from left-pad to the xz-utils backdoor—and how to manage it.
What Would It Actually Cost Companies to Fund Their Criti...
Heartbleed, Log4Shell, and the 2024 xz backdoor all trace back to unpaid maintainers. Here's what it would actually cost companies to fund the dependencies they depend on.
Security Training Gaps Among Solo Maintainers of High-Imp...
xz-utils, event-stream, and ua-parser-js show how single-maintainer projects lack the security training and support that high-impact infrastructure now demands.
Succession Planning for Open Source Projects: Why It Rare...
Most open source maintainers have no succession plan. That gap has already caused real incidents, from event-stream to XZ Utils, and it explains why.