supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Chrome Extension Cyberhaven Supply Chain Attack 2024
A technical retrospective on the 2024 Cyberhaven Chrome extension compromise: the phishing chain, the malicious OAuth flow, the exfiltration payload, and what actually changes browser-extension supply chain defense.
CycloneDX vs SPDX: Which Format For Your Program
A senior-engineer comparison of CycloneDX and SPDX in 2026, covering field coverage, tooling, AI-BOM support, VEX, and the practical trade-offs for your programme.
PCI DSS 4.0 Software Security Evidence Flow
PCI DSS 4.0 raises the bar for software security and supplier oversight. Learn how to satisfy Requirement 6 and 12.8 with continuous supply chain evidence.
Pod Supply Chain Attestation Validation
How to validate supply chain attestations at pod admission time without grinding deployments to a halt: which attestation types actually matter, how to chain verifications, and how to fail useful.
Software Supply Chain Side-Channel Attacks 2025
Side-channel attacks are moving from hardware into software supply chains, where build-time timing, error messages, and telemetry leak meaningful secrets.
Jenkins Supply Chain Security Baseline 2026
A 2026 supply chain security baseline for Jenkins: plugin hygiene, agent isolation, Pipeline-as-Code discipline, credentials, and provenance integration.
Engine-Plus-LLM vs Pure-LLM Bug Hunters
The difference between an engine-plus-LLM bug hunter and a pure-LLM one is not a tuning detail. It is a structural divide that determines whether the findings are usable.
Open Source Maintainer Targeting Trend
Open source maintainers are now a primary target for state and criminal actors. We trace the 2026 social engineering, infrastructure, and credential patterns.
Runtime Drift Detection For Supply Chain Controls
An admitted workload is not a static one. Runtime drift detection turns the SBOM into a living contract and surfaces supply chain changes before they become incidents.
Reflection-Based Dependency Confusion Techniques
Dependency confusion is moving beyond name-typosquat. Reflection-based techniques let attackers hijack packages through dynamic imports and runtime resolution.
Azure Artifacts Sigstore Integration Walkthrough 2026
A practical walkthrough for integrating Sigstore signing and verification with Azure Artifacts in 2026, including the gaps you should know about before starting.
Flowing Down CMMC And CRA Clauses To Vendors
CMMC 2.0 and the EU Cyber Resilience Act both require obligations to flow down through your supply chain. Here is how to write the clauses and verify the compliance.