Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Open Source Security

The Unpaid Labor Behind Critical Internet Infrastructure

Open source runs on unpaid maintainer labor. From xz-utils to Log4Shell to colors.js, we examine why burnout became a top supply chain security risk.

Jul 27, 20257 min read
Open Source Security

Succession Planning for Open Source Projects: Why It Rare...

Most open source maintainers have no succession plan. That gap has already caused real incidents, from event-stream to XZ Utils, and it explains why.

Jul 26, 20257 min read
Open Source Security

The XZ Utils Incident as a Case Study in Maintainer Trust...

CVE-2024-3094 shows how a patient social-engineering campaign turned trusted open source maintainership into a near-catastrophic SSH backdoor.

Jul 26, 20257 min read
Open Source Security

Why Automated Tooling Can't Fully Replace Human Maintaine...

Automated scanners missed the XZ Utils backdoor for years. Here's why CVE scores, SAST tools, and dependency bots can't replace human maintainer judgment.

Jul 25, 20257 min read
Open Source Security

Measuring Project Health: Bus Factor, Commit Velocity, an...

Bus factor, commit velocity, and maintainer concentration predicted the xz-utils and event-stream incidents before any CVE did. Here's how to read these proxies — and where they mislead.

Jul 25, 20259 min read
Cloud Security

Cloud-to-Code Traceability: Connecting Production Inciden...

When a production alert fires, it names an IP or image hash—rarely a commit or author. Here's why that gap exists and how to close it fast.

Jul 24, 20258 min read
Application Security

eBPF and OpenTelemetry: The New Instrumentation Layer for...

eBPF and OpenTelemetry are becoming AppSec's new runtime instrumentation layer, catching supply chain attacks like the xz backdoor that static scanners miss entirely.

Jul 23, 20257 min read
AI Security

Tool Poisoning Attacks: How Malicious Instructions Hide I...

AI agent tools can hide invisible instructions attackers use to steal data. Here's how tool poisoning attacks work and how Safeguard stops them.

Jul 22, 20256 min read
AI Security

Agent Skill Marketplaces as the Next Frontier for Supply ...

Agent skill marketplaces are repeating npm and PyPI's supply chain mistakes—except the malicious payload is often a sentence of instructions, not code. Here's what's already been exploited.

Jul 22, 20257 min read
Supply Chain

SCA Security Testing: A Workflow Guide

SCA security testing only works when it's wired into an actual development workflow — here's what that pipeline looks like from commit to merge to production monitoring.

Jul 21, 20255 min read
AI Security

Why Autonomous Coding Agents Need Their Own Threat Model

Coding agents run with real credentials and no pause button. Here is the threat model that treats them as autonomous infrastructure, not junior developers.

Jul 21, 20257 min read
AI Security

Distinguishing Model Risk from Application Risk in Agenti...

Model flaws and application flaws in AI agents cause different breaches and need different fixes. Real incidents show where each risk actually lives — and how to test for both.

Jul 21, 20257 min read
supply-chain-security (Page 81) — Safeguard Blog