supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Building an SBOM Program from Scratch: A Practical Guide
Standing up an SBOM program is more than picking a tool. This guide covers organizational buy-in, tooling selection, automation, and scaling from your first BOM to enterprise-wide adoption.
Linux Kernel Supply Chain Security: How the World's Largest Project Protects Itself
The Linux kernel is the most critical open source project on earth. Its supply chain security practices offer lessons for every project, but also reveal challenges that scale creates.
Software Supply Chain Security in Banking: A Practical Guide
Banks face unique software supply chain risks. This guide covers real threats, regulatory expectations, and what security teams should actually be doing.
Secrets Management: Preventing Credential Leaks in Your Software Supply Chain
Hardcoded credentials remain the most common source of breaches. Despite a decade of tooling improvements, secrets keep leaking through source code, container images, CI logs, and dependency configurations. Here is how to actually fix it.
The OWASP Top 10 (2021) Through a Supply Chain Security Lens
The 2021 OWASP Top 10 added supply chain risks for the first time. Here is what each category means when your code is mostly someone else's code.
AWS Supply Chain Security Best Practices You Should Adopt Today
A practical guide to securing your software supply chain on AWS, from ECR image provenance to CodePipeline hardening.
Certificate Authority Compromise and Supply Chain Risks
A compromised certificate authority can undermine TLS trust for your entire software supply chain. Understanding CA risks is essential for defending package integrity and secure distribution.
Software Supply Chain Security for Startups: A Practical Guide
You don't need a massive security team to get supply chain security right. Here's a pragmatic, prioritized approach for startups that balances risk reduction with engineering velocity.
Log4j and the Maintainer Burnout Crisis Nobody Talks About
The Log4Shell vulnerability exposed more than a critical flaw in Java logging. It revealed a systemic failure in how the industry treats the people who maintain critical open source infrastructure.
Zero-Day Vulnerabilities in Open Source: 2021 in Review
2021 saw a record number of zero-day exploits targeting open-source software. From Log4Shell to ProxyShell, here's what happened and what it means for defenders.
NTIA SBOM Minimum Elements: What Your SBOM Actually Needs to Contain
The NTIA published its minimum elements for SBOMs in July 2021. Here's a practical breakdown of what's required, what's optional, and where most organizations fall short.
Third-Party Risk Management for Software Vendors: Beyond the Questionnaire
Security questionnaires are still how most organizations evaluate vendor risk. They're also still mostly useless. Here's what actually works.