supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Insecure Deserialization Prevention in Java with Deserial...
Java deserialization RCEs still hit production years after JEP 290 shipped filters. Here's how JEP 290/415 filters work, common rollout mistakes, and how Safeguard closes the gaps.
Insecure Deserialization Prevention in Python: yaml.safe_...
Why yaml.load() and pickle.load() became RCE vectors in Python, the CVEs behind them, and how safe_load() closes the gap — plus how Safeguard catches unsafe deserialization before it ships.
Secure Random Number Generation in JavaScript with crypto...
Math.random() is predictable and unsafe for security tokens. Here's why Node's crypto.randomBytes() is the standard for secure JavaScript randomness.
Secure Random Number Generation in Ruby with SecureRandom
Ruby's built-in rand() uses a predictable Mersenne Twister and should never generate tokens, passwords, or session IDs. Here's how SecureRandom fixes that.
Secure Random Number Generation in Go with crypto/rand
Go's math/rand is fast but predictable. Here's why crypto/rand is the only safe choice for tokens, keys, and nonces -- and what changed in Go 1.20-1.24.
Secure Random Number Generation in Java with SecureRandom...
Why java.util.Random and even UUID.randomUUID() can leak predictable tokens, and how Java's SecureRandom and NIST DRBG providers actually protect secrets.
CVE-2020-8203: Prototype pollution in lodash zipObjectDeep
CVE-2020-8203 lets attackers pollute JavaScript's Object prototype via lodash's zipObjectDeep function, risking DoS or RCE in downstream apps.
CVE-2021-44906: Prototype pollution in minimist
CVE-2021-44906 exposed a prototype pollution flaw in minimist versions before 1.2.6, letting attackers pollute Object.prototype via crafted parser keys.
CVE-2017-16137: ReDoS in debug package
CVE-2017-16137 is a ReDoS flaw in the debug npm package that can hang Node.js apps on crafted input. Here's what's affected and how to fix it.
CVE-2020-28469: ReDoS in glob-parent
CVE-2020-28469 is a ReDoS flaw in glob-parent before 5.1.2 that can hang processes parsing crafted glob strings. Here's the risk, timeline, and fix.
CVE-2018-1000620: ReDoS in marked markdown parser
A ReDoS flaw in the marked Markdown parser (CVE-2018-1000620) let crafted input stall Node.js services. Here's the impact, fix, and how to catch it in your dependency tree.
CVE-2022-21680: ReDoS in marked via block token regexes
CVE-2022-21680: how a ReDoS in marked's block-tokenizer regexes could let attackers freeze Markdown-rendering services, plus affected versions, fix, and mitigation steps.