Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Industry Analysis

Insecure Deserialization Prevention in Java with Deserial...

Java deserialization RCEs still hit production years after JEP 290 shipped filters. Here's how JEP 290/415 filters work, common rollout mistakes, and how Safeguard closes the gaps.

Oct 21, 20257 min read
Industry Analysis

Insecure Deserialization Prevention in Python: yaml.safe_...

Why yaml.load() and pickle.load() became RCE vectors in Python, the CVEs behind them, and how safe_load() closes the gap — plus how Safeguard catches unsafe deserialization before it ships.

Oct 20, 20257 min read
Industry Analysis

Secure Random Number Generation in JavaScript with crypto...

Math.random() is predictable and unsafe for security tokens. Here's why Node's crypto.randomBytes() is the standard for secure JavaScript randomness.

Oct 20, 20257 min read
Industry Analysis

Secure Random Number Generation in Ruby with SecureRandom

Ruby's built-in rand() uses a predictable Mersenne Twister and should never generate tokens, passwords, or session IDs. Here's how SecureRandom fixes that.

Oct 19, 20257 min read
Industry Analysis

Secure Random Number Generation in Go with crypto/rand

Go's math/rand is fast but predictable. Here's why crypto/rand is the only safe choice for tokens, keys, and nonces -- and what changed in Go 1.20-1.24.

Oct 19, 20258 min read
Industry Analysis

Secure Random Number Generation in Java with SecureRandom...

Why java.util.Random and even UUID.randomUUID() can leak predictable tokens, and how Java's SecureRandom and NIST DRBG providers actually protect secrets.

Oct 18, 20257 min read
Vulnerability Analysis

CVE-2020-8203: Prototype pollution in lodash zipObjectDeep

CVE-2020-8203 lets attackers pollute JavaScript's Object prototype via lodash's zipObjectDeep function, risking DoS or RCE in downstream apps.

Oct 17, 20258 min read
Vulnerability Analysis

CVE-2021-44906: Prototype pollution in minimist

CVE-2021-44906 exposed a prototype pollution flaw in minimist versions before 1.2.6, letting attackers pollute Object.prototype via crafted parser keys.

Oct 16, 20257 min read
Vulnerability Analysis

CVE-2017-16137: ReDoS in debug package

CVE-2017-16137 is a ReDoS flaw in the debug npm package that can hang Node.js apps on crafted input. Here's what's affected and how to fix it.

Oct 16, 20258 min read
Vulnerability Analysis

CVE-2020-28469: ReDoS in glob-parent

CVE-2020-28469 is a ReDoS flaw in glob-parent before 5.1.2 that can hang processes parsing crafted glob strings. Here's the risk, timeline, and fix.

Oct 14, 20257 min read
Vulnerability Analysis

CVE-2018-1000620: ReDoS in marked markdown parser

A ReDoS flaw in the marked Markdown parser (CVE-2018-1000620) let crafted input stall Node.js services. Here's the impact, fix, and how to catch it in your dependency tree.

Oct 14, 20258 min read
Vulnerability Analysis

CVE-2022-21680: ReDoS in marked via block token regexes

CVE-2022-21680: how a ReDoS in marked's block-tokenizer regexes could let attackers freeze Markdown-rendering services, plus affected versions, fix, and mitigation steps.

Oct 13, 20257 min read
supply-chain-security (Page 72) — Safeguard Blog