supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1052 articles
Typosquatting across package registries (npm, Go, PyPI)
Typosquatting has infected npm, PyPI, and now Go modules. We break down real attacks like crossenv and colourama, how Socket.dev detects them, and where the gaps remain.
npm/package health and quality scoring methodology
How npm package health scores are calculated, why Socket.dev's model misses live supply chain attacks, and what Safeguard checks instead.
Real-time threat feed for open source malware detection
Malicious npm and PyPI packages spread in hours, not days. Here's why real-time threat feeds beat periodic scans, and how Safeguard detects supply chain malware before install.
Blocking malicious installs with a dependency firewall
How a dependency firewall stops malicious npm installs before they run, where Socket.dev-style scanners fall short, and how Safeguard closes the gap.
Pull-request-level dependency scanning on GitHub
Socket.dev popularized flagging risky dependencies inside GitHub pull requests. Here's how that scanning works, where it falls short, and what closes the gaps.
Cyber insurance requirements for application security programs
Cyber insurers now require SBOMs, patch SLAs, and audit trails for AppSec programs. Here's what carriers actually ask for and how to pass renewal.
Security scanning for MCP servers and AI agent tool use
MCP servers give AI agents direct tool access, but most ship unvetted. Here's how security scanning catches tool poisoning and rug-pull attacks.
Spring4Shell RCE vulnerability explained CVE-2022-22965
CVE-2022-22965 (Spring4Shell) lets attackers achieve unauthenticated RCE on Spring MVC/Tomcat apps. Here's the CVSS/EPSS/KEV data, timeline, and fixes.
Log4Shell remediation cheat sheet
A practical, no-fluff Log4Shell remediation cheat sheet: affected versions, CVSS/EPSS/KEV context, timeline, and the exact steps to close CVE-2021-44228.
Aikido vs Socket: supply chain security comparison
Aikido bundles SAST/DAST/SCA into one ASPM platform; Socket digs into package behavior. Here's where Safeguard's provenance-first approach fits between them.
Aikido vs GitGuardian: secrets scanning comparison
Searching "Aikido vs GitGuardian"? Here's how Safeguard's secrets detection, validation, and remediation approach actually compares to Aikido Security.
The XZ backdoor CVE-2024-3094 deep dive
A technical deep dive into CVE-2024-3094, the XZ Utils/liblzma SSH backdoor: affected versions, severity context, full timeline, and remediation steps.