supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1053 articles
Hex.pm package registry security and Elixir supply chain ...
Hex.pm blocks install-time scripts npm allows, but Elixir dependency risk still hides in native builds, Erlang CVEs, and thin registry-side vetting. Here's what to watch.
Mix dependency management and mix.lock integrity in Elixi...
A practical guide to mix.lock integrity: pinning Elixir dependencies, verifying lockfile hashes, and preventing supply chain tampering in mix.exs projects.
What is Image Signing
Container image signing binds a cryptographic signature to an image's digest so you can prove what's running is what was actually built — not just scanned.
Finding vulnerable .NET dependencies with dotnet list pac...
A step-by-step guide to scanning C# projects for vulnerable NuGet packages using dotnet list package --vulnerable, plus how to fix and monitor them continuously.
Case study: a malicious NuGet package compromise and its ...
Inside the Moq/SponsorLink malicious NuGet package incident: what shipped, who was exposed, and how to harden your .NET build pipeline against the next one.
CocoaPods supply chain security and Podfile.lock integrit...
A 2024 CocoaPods Trunk server flaw let attackers hijack orphaned pods and exposed a deeper gap: Podfile.lock never verified dependency integrity in the first place.
Swift Package Manager dependency resolution and pinning s...
SPM trusts mutable git tags, not signed artifacts. Here's how dependency resolution, Package.resolved integrity, and pinning gaps expose Swift apps to supply chain attacks.
Maven Central dependency confusion and namespace collisio...
How Maven's groupId system and multi-repo resolution let attackers slip malicious packages into Java builds — and how to close the internal vs public repo gap.
Scanning Kotlin and Android projects with OWASP Dependenc...
A step-by-step guide to scanning Kotlin and Android projects with OWASP Dependency-Check: Gradle plugin setup, CI automation, triage, and suppressions.
PyPI typosquatting and malicious Python packages targetin...
PyPI typosquatting lets attackers slip malicious Python packages into your build with one typo. Real attacks, why PyPI is exposed, and how to stay safe.
Django SECRET_KEY exposure and settings.py secret managem...
A Django SECRET_KEY exposure can silently unravel session security, CSRF protection, and signed tokens. Here's how to find, fix, and prevent it for good.
What is the Principle of Least Functionality
The principle of least functionality (NIST CM-7) means shipping only the ports, services, and code a system needs—nothing extra "just in case."