software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
How Sponsorship Models (GitHub Sponsors, Tidelift, Open C...
GitHub Sponsors, Tidelift, and Open Collective pay maintainers in very different ways. Here's how their fees, payouts, and security guarantees actually compare.
Why Automated Tooling Can't Fully Replace Human Maintaine...
Automated scanners missed the XZ Utils backdoor for years. Here's why CVE scores, SAST tools, and dependency bots can't replace human maintainer judgment.
Why Security Debt Accumulates Fastest in the Most 'Produc...
High-velocity engineering teams accumulate the most security debt, not the least. Here's why speed hides risk — and how to catch it without slowing down.
Model Context Protocol Security 101: What Could Go Wrong ...
MCP lets AI models call tools automatically — and lets malicious servers hide instructions in plain sight. Here's how tool poisoning, rug pulls, and shadowing actually work.
Prompt Injection vs Traditional Injection Attacks: A Tech...
SQL injection was solved by separating code from data. Prompt injection can't be, because in an LLM they share one channel. Here's the technical comparison, with real exploits and dates.
The Jailbreaking Economy: How Model Vulnerabilities Get D...
Jailbreak prompts now trade like exploits: sold as $200/month "dark" chatbots, bountied by vendors for up to $15,000. Here's how that market actually works.
Least Privilege for AI Agents: Why It's Harder Than It So...
AI agents break least-privilege assumptions built for humans: they chain tools, act autonomously, and compose narrow scopes into broad access no one reviewed.
Why Traditional SAST Tools Struggle to Analyze Agentic Co...
Agentic codebases build call graphs at runtime, defeating static analysis. Here's why SAST tools miss prompt injection and tool-schema risks—and how Safeguard closes the gap.
Why Security Training Completion Rates Don't Predict Secu...
Completion rates measure attendance, not behavior. Here's why training checkboxes don't predict secure coding outcomes, and what to measure instead.
The Champion Model: Do Embedded Security Champions Actual...
Security champion programs cut vulnerabilities only under specific conditions. Here's what BSIMM, GitLab, and OWASP data show about when the champion model actually works.
Why Security and Engineering KPIs Are Still Misaligned in...
Security teams chase CVSS scores and SLA compliance while engineering chases velocity and uptime—two scorecards that were never built to agree.
The Hidden Cost of Context Switching Between IDE and Secu...
Jumping between your IDE and security dashboards isn't free. Here's what context switching really costs developers, and how to eliminate it.