supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
The libwebp heap overflow that patched half the internet: CVE-2023-4863
One heap buffer overflow in a 15-year-old image codec forced Chrome, Firefox, Edge, Electron apps, and entire Linux distros to ship emergency patches within days.
Anatomy of the XZ Utils backdoor: how CVE-2024-3094 nearly compromised SSH on every major Linux distro
A CVSS 10.0 backdoor sat in xz 5.6.0 and 5.6.1 for weeks, hidden in a test file, until 0.5 seconds of extra SSH login latency gave it away.
Dart and Flutter Security Best Practices: Storage, Transport, and the pub.dev Supply Chain
A Flutter binary ships to both stores from one codebase — including any hardcoded secret, any disabled TLS check, and any vulnerable pub.dev package. Here is how to close each gap.
Kubernetes Supply Chain Security: Trusting What You Deploy
The path from a git commit to a running pod crosses a dozen systems, each a place to inject malicious code. Here is how to build a chain of custody Kubernetes will actually verify.
Software Supply Chain Security for Defense
CMMC 2.0, NIST SP 800-171, DFARS clauses, and the DoD's push toward SBOM-backed software authorization have raised the bar for the defense industrial base. Here is what contractors need, including in air-gapped enclaves.
Anatomy of an npm Dependency Confusion Attack
One researcher published fake packages matching internal names at over 35 companies in 2021 and collected six-figure bounties — here's exactly how the registry resolution flaw works.
Apache Struts and the recurring pattern of path-traversal and RCE bugs
Equifax lost data on 147 million people to one unpatched Struts CVE in 2017 — and the same class of bug resurfaced in Struts as recently as December 2023.
Native-extension vulnerabilities in Python packages
numpy, pandas, cryptography, and lxml all ship compiled C/C++ code — and a Python SCA scan that only checks package versions can miss memory-safety bugs buried in that native layer.
Reducing Docker image build time without sacrificing security
Multi-stage builds and minimal base images can cut CI build times dramatically — and they're the same changes that shrink your CVE attack surface.
Securing Python Virtual Environments
A single sudo pip install can overwrite files an OS package manager owns — PEP 668 exists because that anti-pattern was common enough to break Linux distros.
Software Composition Analysis Best Practices for Engineering Teams
CVE-2017-5638 was patched by Apache in March 2017, two months before Equifax was breached through it. Point-in-time SCA scans miss exactly this kind of drift.
The Python pickle security model, explained
Python's own docs warn that unpickling can execute arbitrary code — yet pickle is still the default weight format behind millions of ML model downloads.