supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1053 articles
JWT (JSON Web Token)
A JWT (JSON Web Token) is a compact, signed token used to prove identity and claims between systems. Here's how they work, and where they break.
What is RAG (Retrieval-Augmented Generation) Security
RAG pipelines blend retrieved data with model instructions, creating prompt injection, poisoning, and embedding-leak risks traditional AppSec tools miss.
TOCTOU (Time-of-check to time-of-use)
TOCTOU flaws let attackers swap a file or resource after it's validated but before it's used, turning a safe check into an exploitable race.
HMAC
HMAC is a cryptographic construct that combines a hash function with a secret key to verify both the integrity and authenticity of a message.
What is the NIST Cybersecurity Framework
A breakdown of the NIST Cybersecurity Framework's six functions, its 2024 update, and why GV.SC makes it central to software supply chain security.
Perfect forward secrecy
Perfect forward secrecy stops a single leaked TLS key from unlocking years of past traffic. Here's how ephemeral key exchange works, and why it matters for supply chain security.
Cryptographic salt vs pepper
What is a cryptographic salt, and how does it differ from pepper in password hashing? A technical breakdown of salted hashes, bcrypt salt rounds, and best practices.
Golden ticket attack
A golden ticket attack forges Kerberos TGTs using a stolen krbtgt hash, giving attackers persistent, near-total control over Active Directory.
JavaScript Security Explained
JavaScript security means managing three attack surfaces: runtime bugs, browser XSS, and npm supply chain compromise — the last of which caused 2025's biggest incidents.
Living off the land (LOTL) techniques
A precise breakdown of living off the land (LOTL) attacks: how LOLBins, fileless malware, and dual-use tool abuse let intruders hide in plain sight.
Node.js Security Best Practices
Node.js supply chain attacks like event-stream, ua-parser-js, and Shai-Hulud show why dependency depth is the real risk -- here's what actually reduces it.
Business email compromise (BEC)
Business email compromise (BEC) tricks employees into wiring funds or data to attackers posing as executives or vendors. Here is how BEC fraud actually works.