supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Sonatype vs JFrog Xray: A Neutral Comparison for 2026
Sonatype and JFrog Xray both secure the software supply chain from the artifact repository outward, but they anchor to different platforms and philosophies. An honest side-by-side, plus a third option.
Software Supply Chain Security for Product Security Teams
Product security teams own the security of what ships and stays shipped. Here is how to embed supply chain controls across the SDLC, run PSIRT for third-party CVEs, and manage security debt in released products without owning every repo yourself.
What Is Sigstore?
Sigstore is an open-source project for signing and verifying software without managing long-lived keys. Here's how Cosign, Fulcio, and Rekor make keyless signing work.
C++ Security Best Practices: Memory Safety, Hardening Flags, and the C/C++ Supply Chain
Microsoft attributes roughly 70% of its CVEs to memory-safety bugs, and the xz backdoor proved the C/C++ supply chain is a live target. Here is the practical hardening path for code you can't rewrite.
Dependency Management Best Practices for Secure Software
Your app is mostly other people's code. A 2026 guide to managing dependencies securely — lockfiles, provenance, SBOMs, update strategy, and reachability — so a bad package doesn't become your breach.
Dependency Management: Frequently Asked Questions
A practical FAQ on managing software dependencies in 2026 — direct vs transitive, lockfiles, semantic versioning, safe updates, dependency confusion, and keeping trees clean.
How to Get Into Software Supply Chain Security
Software supply chain security is one of the hottest specialties in the field—and one of the least crowded. Here is how students and career-changers can break into it, from the core concepts to a portfolio that stands out.
NuGet Supply Chain Security: Protecting Your .NET Dependencies
How NuGet supply chain attacks work, from dependency confusion to typosquatting, and the concrete controls, lock files, source mapping, and signing, that lock down your .NET build.
Secure Defaults, Explained
Secure defaults mean the out-of-the-box configuration is the safe one, and weakening it requires a deliberate opt-in. Here's why the default state decides most real-world security outcomes.
Securing Container Registries: From Push to Pull
Your registry is the single point every image passes through — and a favorite target for attackers who want to poison many deployments at once. Here is how to lock it down end to end.
Software Supply Chain Security for Startups
For a startup, supply chain security is less about compliance mandates and more about closing enterprise deals and surviving the incident that could end you. Here is how to get it right with a small team.
Software Supply Chain Security for Compliance Officers
For compliance officers, supply chain security is an evidence problem before it is a technical one. Here is how to map controls to frameworks, keep evidence current, and pass an audit without turning your engineers into a documentation team.