supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1053 articles
Enforcing signed and attested container images with Binar...
A step-by-step guide to enforcing signed, attested container images in GKE with Binary Authorization — from attestor setup to policy enforcement and troubleshooting.
Alibaba fastjson deserialization RCE (CVE-2022-25845)
A critical AutoType-bypass RCE in Alibaba fastjson (CVSS 9.8, EPSS ~99th pct) hits any app parsing untrusted JSON. Here's how to detect and fix it.
Managing and securing GCP service account keys
A practical, step-by-step guide to GCP service account key security: disable key creation, adopt impersonation, rotate remaining keys, and monitor for misuse.
What Software Delivery Shield does for end-to-end supply ...
A breakdown of what Google Cloud's Software Delivery Shield actually does — SLSA provenance, SBOM generation, Binary Authorization — and where its coverage gaps still leave supply chains exposed.
Apache Commons Collections deserialization gadget RCE (CVE-2015-7501)
A decade-old Apache Commons Collections deserialization gadget chain still enables unauthenticated RCE across legacy Java middleware. Here's how to find and fix it.
Generating SBOMs and provenance with GCP Artifact Analysis
A step-by-step guide to GCP SBOM generation using Artifact Analysis: scan container images, export SPDX/CycloneDX SBOMs, and attach SLSA provenance attestations.
OpenSSL BN_mod_sqrt infinite loop DoS (CVE-2022-0778)
CVE-2022-0778 lets attackers hang OpenSSL with a single malformed certificate. Here's the impact, affected versions, and how to remediate fast.
The State of SBOM Adoption in 2026: Progress, Gaps, and Reality
SBOM adoption has grown rapidly, but maturity varies wildly. Here's where the industry actually stands heading into 2026.
Using GCP organization policy constraints to enforce secu...
GCP organization policy security constraints turn security intent into enforceable guardrails across your resource hierarchy, closing gaps IAM alone cannot.
Securing Cloud Build pipelines and generating SLSA proven...
How to secure Cloud Build supply chain security with least-privilege service accounts and SLSA provenance so tampered builds never reach production.
Comparing security models of GKE Autopilot versus Standar...
GKE Autopilot security vs Standard clusters draw the shared-responsibility line very differently. Here's what changes for pod security and hardening.
runc container escape via file descriptor overwrite (CVE-2019-5736)
CVE-2019-5736 let malicious containers overwrite the host runc binary and gain root — here's the mechanism, affected versions, and how to remediate it.