supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
One Policy Set, Four Enforcement Points
Different gates with different rules create gaps and developer friction. A unified policy engine evaluates one definition at PR, build, admission, and runtime.
Zero-Day Triage Without Drowning Engineers
A zero-day discovery pipeline is only as useful as the triage process around it. Here is what triage looks like when the pipeline gives engineers something they can defend.
Retail POS Supply Chain Security in 2026
Retail point-of-sale environments combine PCI scope, vendor-managed software, and thousands of physical endpoints. Here is the 2026 supply chain baseline that actually works at scale.
Asset Discovery For M&A Due Diligence
M&A due diligence runs on questionnaires that nobody can verify. Continuous asset discovery turns the diligence period into a data exercise.
AWS re:Inforce 2026 Supply Chain Sessions: Field Notes
Field notes from AWS re:Inforce 2026 supply chain track: signing at scale, SBOM adoption, and the Inspector and ECR updates that actually matter.
.NET / NuGet Enterprise Supply Chain Program
An enterprise-grade .NET and NuGet supply chain program for 2026 — covering feeds, lockfiles, MSBuild targets, and runtime — backed by Safeguard.
Evaluating Vendor Attestations: SOC 2 / FedRAMP
A SOC 2 report does not mean the vendor is secure. Here is how to read attestations carefully, what FedRAMP actually proves, and how to ingest both at scale.
How to Implement SLSA Level 3 Practically
SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.
DNS Cache Poisoning for Software Updates: 2025
DNS cache poisoning is a known attack class with a new application: hijacking software update checks to ship malicious binaries that pass every signature check.
SPDX 3.0 Feature Overview for 2026
What changed in SPDX 3.0 and the 3.0.1 patch release: the profile model, AI and dataset profiles, serialization choices, and what to migrate first.
ISO 27001:2022 Aligned Supply Chain Program
ISO 27001:2022 added explicit supply chain controls in Annex A. Learn how to build a program that satisfies A.5.19 through A.5.23 with continuous evidence.
Runtime Container Drift: Supply Chain Implications
Runtime drift is the last honest witness in container supply chain defence. This post covers what drift signals tell you, how to instrument for them, and how to investigate without overwhelming on-call.