Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Open Source Security

Recurring vulnerability patterns in the PyPI ecosystem

PyYAML shipped two rounds of deserialization fixes in under two years — CVE-2017-18342 and CVE-2020-14343 — because the underlying pattern kept resurfacing.

Jul 14, 20266 min read
Supply Chain Attacks

Typosquatting and dependency confusion: a defense guide

In 2021 one researcher got code execution inside 35+ companies for $130,000+ in bounties — without exploiting a single vulnerability. Here's how to close the gap.

Jul 14, 20266 min read
AI Security

Can AI-Generated Code Be Trusted? A Security Review

A 2025 USENIX study found LLMs hallucinate nonexistent packages in up to 21.7% of code samples — and attackers are already registering the names.

Jul 13, 20267 min read
Container Security

Containerizing Node.js apps: an updated Docker best-practices guide

The official node image ships a built-in non-root user, but COPY still writes files as root by default — most Node.js Dockerfiles never actually drop privileges.

Jul 13, 20267 min read
DevSecOps

DevSecOps best practices for secure builds: an 8-point SDLC framework

Log4Shell (Dec 2021) and the XZ Utils backdoor (Mar 2024) exposed two different SDLC failure modes. An 8-point framework closes both.

Jul 13, 20266 min read
Container Security

Docker image vulnerability scanning: best practices for CI/CD

Log4Shell hid in countless container images for years before scanning caught it. Here's how to scan base layers and gate builds before that happens again.

Jul 13, 20267 min read
Supply Chain Security

The NSA/CISA Enduring Security Framework Guide for Developers, Reviewed

NSA, CISA, and ODNI published developer supply-chain guidance in August 2022 — four years on, here's what it actually asks of your pipeline.

Jul 13, 20267 min read
Supply Chain Attacks

The faker.js and colors.js Sabotage: What Maintainer-Driven Risk Teaches About Pinning

In January 2022 a trusted maintainer bricked two npm packages with a combined 26M+ weekly downloads — from his own account, with valid credentials.

Jul 13, 20266 min read
Supply Chain Security

A patching playbook for critical open-source CVEs

Heartbleed, the OpenSSL punycode bug, and XZ Utils each broke a different assumption in incident response. Here's an SLA-driven playbook that survives all three.

Jul 13, 20266 min read
Best Practices

Securing Your Ruby Dev Environment on macOS: rbenv, rvm, and Checksums

60 malicious RubyGems downloaded ~275,000 times went undetected for years — here's how to actually verify what rbenv or rvm installs on your Mac.

Jul 13, 20265 min read
Container Security

Choosing a secure Node.js Docker base image

A stock node:18 image ships at roughly 940MB with 100-200 tracked CVEs; distroless variants land 80% smaller with 0-2. Here's the real tradeoff.

Jul 12, 20267 min read
Best Practices

Security considerations for authenticating CLI tools through corporate proxies

Two 2026 curl CVEs show proxy credentials leaking across redirects and reused connections — plus why .npmrc still stores proxy passwords in plaintext.

Jul 12, 20266 min read
supply-chain-security (Page 3) — Safeguard Blog