Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Application Security

Why LLM API keys should be treated as tier-zero secrets

A leaked LLM API key is a blank check and a data pipe in one credential. Here's why it demands tier-zero controls—and why tools like Black Duck never see it.

Jun 12, 20268 min read
AI Security

AI hallucinations and their security implications for developers

LLMs hallucinate nonexistent packages in up to 1 in 5 code samples — and slopsquatting attacks are already exploiting that predictability in the wild.

Jun 12, 20266 min read
Compliance

What are Open Source Licenses?

Open source licenses govern how 96% of modern codebases can legally be used. Here's how license compliance works, where Black Duck's approach falls short, and how to close the gaps.

Jun 9, 20267 min read
Threat Intelligence

OAuth Token Theft: The SaaS-to-SaaS Supply Chain Is the New Soft Target

The Klue and Salesloft Drift breaches showed the same pattern: steal one integration's OAuth tokens, inherit trusted access into hundreds of customer SaaS instances. Here is why third-party app grants are the supply chain risk most teams still aren't governing.

Jun 8, 20267 min read
Compliance

Sonatype Trust Center and Security Program Overview

Sonatype's trust center offers compliance snapshots on request. Safeguard compares that model to continuous, evidence-based supply chain verification.

Jun 8, 20267 min read
AI Security

Data poisoning attacks against LLMs

A $60 domain purchase or 250 documents can backdoor an LLM. Here's how data poisoning attacks work, real cases, and how to defend against them.

Jun 8, 20267 min read
Buyer's Guides

Sonatype Lifecycle (SCA + Repository Firewall) Deep Dive

A concrete look at how Safeguard compares to Sonatype Lifecycle on deployment architecture, vulnerability data sourcing, and CI/CD fit for teams evaluating alternatives.

Jun 8, 20268 min read
Supply Chain Security

Why postinstall Scripts Became the Frontline of the Software Supply Chain Attack

Install-time script execution turned npm install and pip install into code-execution events. Here is how 2026's wave of attacks works, and the lockfile, allowlist, and sandbox discipline that actually stops it.

Jun 7, 20267 min read
AI Security

Snyk VulnBench: benchmarking LLMs on repeat vulnerability discovery

Snyk's VulnBench JS 1.0 ran 300 repeated LLM scans and found half of non-reference findings vanish on rerun—raising the bar for AI security tooling.

Jun 7, 20267 min read
AI Security

Protestware via prompt injection: the jqwik 1.10.0 case

jqwik 1.10.0 hid a prompt injection telling AI coding agents to delete tests. Here's how it worked, why it's protestware, and how to catch it.

Jun 7, 20267 min read
Supply Chain Security

After the Worms: A CI/CD Security Playbook for Developer Credentials in 2026

The 2026 npm and PyPI worms proved that a trusted release pipeline is a credential vault. Here is what IronWorm and Mini Shai-Hulud actually exploited, and how to harden CI/CD before the next one lands.

Jun 6, 20268 min read
AI Security

Anthropic Claude Enterprise security features overview

Claude Enterprise ships strong SSO, SCIM, audit logging, and SOC 2/ISO compliance — but its controls stop at the API boundary, leaving code and dependencies exposed.

Jun 6, 20266 min read
supply-chain-security (Page 26) — Safeguard Blog