supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Best security champions program and developer training pl...
A practical buyer's guide to security champions program tools — evaluation criteria, six real vendors compared honestly, and how to measure whether training actually reduces vulnerabilities.
jQuery CDN supply chain risk analysis
jQuery loads on ~75% of websites, often via CDNs with no SRI or version pinning. The cdnjs RCE and Polyfill.io hijack show why that trust model keeps failing.
Best attack surface management (ASM) tools
A practical buyer's guide comparing top attack surface management tools and ASM platforms, with honest strengths, limitations, and evaluation criteria.
XcodeGhost iOS supply chain malware campaign
XcodeGhost hid inside Xcode itself, silently infecting 4,000+ App Store apps like WeChat. Here is how the iOS supply chain malware campaign worked.
Best security orchestration, automation and response (SOA...
A practical buyer's guide to SOAR tools -- comparing Splunk, Cortex XSOAR, Microsoft Sentinel, Tines, Swimlane, and Torq for automation and incident response.
Docker Hub cryptojacking campaign analysis
Safeguard tracked a six-week Docker Hub cryptojacking campaign using 41 trojanized images, delayed payloads, and base-image laundering to evade scanners.
Best AI and LLM generated code security scanning tools
An honest buyer's guide to AI generated code security scanning tools: what to evaluate, how six real vendors stack up, and where they fall short.
Missing Rate Limiting on APIs and Login Endpoints
Missing rate limiting turned single APIs into 37-million-record breaches at T-Mobile and Optus. Here's why it happens, how attackers exploit it, and how to catch it first.
Best container registry vulnerability scanning tools
A practical look at container registry scanning tools — evaluation criteria, six real vendors compared fairly, and how Safeguard closes the supply-chain gaps scanning alone leaves open.
Compromise of Legitimate Upstream Packages
From xz-utils to polyfill.io, attackers increasingly compromise packages developers already trust rather than planting fakes. Here's how these attacks work and how Safeguard catches them.
Unmaintained Open Source Software: A Supply Chain Risk
Unmaintained open source components quietly power critical software until a bug hits and no one is left to patch it. Here's the risk, and how to manage it.
CI/CD pipeline security vulnerability trends
CI/CD pipelines now hold the keys attackers want most. Here's what tj-actions, Ultralytics, and Jenkins CVE-2024-23897 reveal about the trend.