Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Vulnerability Management

The libwebp heap overflow that patched half the internet: CVE-2023-4863

One heap buffer overflow in a 15-year-old image codec forced Chrome, Firefox, Edge, Electron apps, and entire Linux distros to ship emergency patches within days.

Jul 8, 20266 min read
Supply Chain Attacks

Anatomy of the XZ Utils backdoor: how CVE-2024-3094 nearly compromised SSH on every major Linux distro

A CVSS 10.0 backdoor sat in xz 5.6.0 and 5.6.1 for weeks, hidden in a test file, until 0.5 seconds of extra SSH login latency gave it away.

Jul 8, 20266 min read
Security Guides

Dart and Flutter Security Best Practices: Storage, Transport, and the pub.dev Supply Chain

A Flutter binary ships to both stores from one codebase — including any hardcoded secret, any disabled TLS check, and any vulnerable pub.dev package. Here is how to close each gap.

Jul 7, 20266 min read
Container Security

Kubernetes Supply Chain Security: Trusting What You Deploy

The path from a git commit to a running pod crosses a dozen systems, each a place to inject malicious code. Here is how to build a chain of custody Kubernetes will actually verify.

Jul 7, 20265 min read
Solutions

Software Supply Chain Security for Defense

CMMC 2.0, NIST SP 800-171, DFARS clauses, and the DoD's push toward SBOM-backed software authorization have raised the bar for the defense industrial base. Here is what contractors need, including in air-gapped enclaves.

Jul 7, 20266 min read
Supply Chain Attacks

Anatomy of an npm Dependency Confusion Attack

One researcher published fake packages matching internal names at over 35 companies in 2021 and collected six-figure bounties — here's exactly how the registry resolution flaw works.

Jul 7, 20266 min read
Application Security

Apache Struts and the recurring pattern of path-traversal and RCE bugs

Equifax lost data on 147 million people to one unpatched Struts CVE in 2017 — and the same class of bug resurfaced in Struts as recently as December 2023.

Jul 7, 20266 min read
Open Source Security

Native-extension vulnerabilities in Python packages

numpy, pandas, cryptography, and lxml all ship compiled C/C++ code — and a Python SCA scan that only checks package versions can miss memory-safety bugs buried in that native layer.

Jul 7, 20266 min read
DevSecOps

Reducing Docker image build time without sacrificing security

Multi-stage builds and minimal base images can cut CI build times dramatically — and they're the same changes that shrink your CVE attack surface.

Jul 7, 20266 min read
Application Security

Securing Python Virtual Environments

A single sudo pip install can overwrite files an OS package manager owns — PEP 668 exists because that anti-pattern was common enough to break Linux distros.

Jul 7, 20267 min read
DevSecOps

Software Composition Analysis Best Practices for Engineering Teams

CVE-2017-5638 was patched by Apache in March 2017, two months before Equifax was breached through it. Point-in-time SCA scans miss exactly this kind of drift.

Jul 7, 20267 min read
Application Security

The Python pickle security model, explained

Python's own docs warn that unpickling can execute arbitrary code — yet pickle is still the default weight format behind millions of ML model downloads.

Jul 7, 20266 min read
supply-chain-security (Page 14) — Safeguard Blog