Safeguard
Tag

ssdf

Safeguard articles tagged "ssdf" — guides, analysis, and best practices for software supply chain and application security.

21 articles

DevSecOps

DevSecOps best practices for secure builds: an 8-point SDLC framework

Log4Shell (Dec 2021) and the XZ Utils backdoor (Mar 2024) exposed two different SDLC failure modes. An 8-point framework closes both.

Jul 13, 20266 min read
Best Practices

What CISA's Secure by Design Pledge Actually Requires

CISA's Secure by Design pledge asks 68+ vendors for measurable one-year progress on 7 goals. Here's what those goals mean for engineering teams.

Jul 10, 20266 min read
DevSecOps

Embedding security-by-design into DevSecOps risk management across the SDLC

NIST's SSDF turns 'shift left' into eleven concrete practices — but a framework on paper doesn't stop a bad merge. Here's how to make it enforceable.

Jul 10, 20267 min read
Concepts

Introduction to Secure Software Development

Security is not a phase you bolt on at the end — it is a set of practices woven through every stage of building software. This guide introduces the secure development lifecycle, the practices that matter at each stage, and how to get started.

Jul 5, 20266 min read
Compliance

FedRAMP Moderate authorization and AppSec controls

Veracode's FedRAMP Moderate authorization is a procurement accelerant, not proof of AppSec efficacy. Here's what the badge covers, what it doesn't, and what federal buyers should verify.

Jun 18, 20267 min read
Compliance

EO 14028 producer self-attestation: where the CISA Form sits in 2026

The CISA Secure Software Development Attestation Form went live in March 2024. Two years and several revisions later, here is what producers actually have to attest, and where the common gotchas are.

May 14, 20268 min read
AI Security

NIST SP 800-218A: Operationalizing AI Secure Development in 2026

NIST SP 800-218A turned the SSDF into an AI community profile in July 2024. Eighteen months later, what does real adoption look like for AI software teams?

May 13, 20267 min read
Compliance

CISA Secure by Design Operational Guidance 2026

Translating CISA's Secure by Design pledge into operational engineering work in 2026, with the specific control mappings and evidence practices that hold up to audit.

May 8, 20265 min read
Compliance

NIST 800-53 security and privacy controls overview

A breakdown of NIST 800-53 Rev 5's control families, SBOM and supply-chain requirements, and why scanning tools like Anchore cover only a narrow slice of what compliance demands.

Mar 24, 20267 min read
Compliance

NIST 800-218 / SSDF attestation requirements

What NIST SP 800-218 (SSDF) attestation actually requires, the CISA form's four claims, key OMB deadlines, and where Anchore's SBOM-first approach leaves gaps Safeguard closes.

Mar 24, 20267 min read
Compliance

What is Executive Order 14028

EO 14028 forced federal software vendors to prove what's in their code. Here's what it requires, who it binds, and what's changed since 2021.

Feb 26, 20266 min read
Compliance

NIST SSDF Audit: What Auditors Actually Check

A practical walkthrough of what NIST Secure Software Development Framework audits look like in 2026, where evidence gaps show up, and how to prepare without burning out engineering.

Feb 18, 20266 min read
ssdf — Safeguard Blog