supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
ISO 27001 and NIST Framework Alignment for Supply Chain V...
How ISO 27001:2022 and NIST's SSDF, SP 800-161, and CSF 2.0 converge on software supply chain vendors—and where CVE-only scanning tools leave compliance gaps.
Infosecurity Europe 2026 Recap: Agentic AI Security Owned the Floor at ExCeL London
Agentic AI, post-quantum cryptography, and ransomware economics dominated Infosecurity Europe 2026. Here is what actually mattered on the floor at ExCeL London, and what was hype.
Sonatype Firewall: Malicious Package Protection
Sonatype's Repository Firewall blocks known malicious packages at the door, but timing gaps and single-source blind spots still let real threats through.
LLM output validation and sanitization best practices
LLM output is untrusted input to everything downstream. Here's how to validate, encode, and sandbox it before it becomes your next injection vector.
Zero-day risk in third-party AI model dependencies
Malicious Hugging Face models, a trojanized Ultralytics PyPI release, and a torch.load bypass show AI model dependencies now carry real zero-day risk.
Sonatype Guide: Securing Agentic AI Development
Sonatype's new guide reframes AI dependency risk, but its scanner-based model can't govern agents that install packages and call MCP tools on their own. Here's the gap and how to close it.
Best Container Scanning Tools in 2026: An Honest Buyer's Guide
An honest guide to the best container scanning tools in 2026 — from open-source scanners like Trivy and Grype to cloud-context platforms like Wiz and Aqua — with clear guidance on which fits your CI/CD pipeline, registry, and runtime.
Best SCA Tools in 2026: Software Composition Analysis Compared
An honest comparison of the best SCA tools in 2026 — Snyk, Endor Labs, Socket, Mend, Sonatype, JFrog, Trivy, and Safeguard — covering reachability analysis, malicious-package detection, SBOM/AIBOM, and remediation, with a clear best-for line for each.
What Is SLSA (Supply-chain Levels for Software Artifacts)
SLSA verifies how software was built, not just what is inside it. Here is what the four build levels mean and how it differs from SBOM-only tooling.
Post-Quantum Cryptography in 2026: Where Enterprise Migration Actually Stands
The NIST standards are final, the deadlines are real, and the harvest-now-decrypt-later clock is running. Here is an honest look at what enterprise PQC migration looks like in 2026 — and why crypto-agility matters more than picking an algorithm.
Container registries explained: Docker Hub vs private/ent...
Docker Hub vs. private/enterprise registries explained, with a look at where JFrog Artifactory fits — and why registry choice alone doesn't solve supply chain security.
Agentic supply chain security: governing autonomous AI co...
AI coding agents now open PRs, merge code, and touch secrets on their own. Here's why JFrog-style artifact scanning can't govern them, and what can.