Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

AI Security

Slopsquatting: When AI Hallucinates a Package Attackers Register

AI coding assistants confidently recommend packages that do not exist. Attackers noticed. Slopsquatting turns a model's hallucination into a supply-chain foothold — and the fix is not to make models stop hallucinating.

Jul 7, 20265 min read
Security Guides

OWASP A08: Software and Data Integrity Failures — A Deep-Dive Guide

Software and Data Integrity Failures rank #8 in the OWASP Top 10 (2021). A deep dive into insecure deserialization, unsigned updates, SolarWinds, and real CVEs.

Jul 6, 20267 min read
DevSecOps

Securing CI/CD Secrets: OIDC, Scanning, and Short-Lived Credentials

CI/CD secrets are the crown jewels attackers go after — the CircleCI breach forced every customer to rotate everything. This guide covers secret sprawl, scanning, OIDC federation, and killing long-lived credentials for good.

Jul 6, 20266 min read
Concepts

Understanding Open Source Security Risk

Open source powers nearly every modern application, but the code you inherit brings risks you did not write. This guide explains where open source risk comes from, how it reaches your product, and how to manage it without abandoning the ecosystem.

Jul 6, 20266 min read
Security Guides

Subresource Integrity (SRI) Explained (2026)

Subresource Integrity pins a cryptographic hash to every script you load from a CDN, so a compromised CDN cannot silently swap in malicious code. Here is how it works and where it stops.

Jul 5, 20265 min read
DevSecOps

CircleCI Security Best Practices After the 2023 Breach

The January 2023 CircleCI incident forced every customer to rotate every secret. Here is what it taught us — plus hardened config.yml examples for orb pinning, restricted contexts, OIDC, and adding scanning.

Jul 4, 20266 min read
Security Guides

OWASP A06: Vulnerable and Outdated Components — A Deep-Dive Guide

Vulnerable and Outdated Components rank #6 in the OWASP Top 10 (2021). A deep dive into transitive risk, real CVEs like Log4Shell, and how to fix it in 2026.

Jul 4, 20266 min read
Vulnerability Analysis

The XZ Utils Backdoor (CVE-2024-3094) Explained: A Near-Miss Supply Chain Catastrophe

CVE-2024-3094 was a deliberately planted backdoor in xz-utils 5.6.0/5.6.1 targeting sshd. It was caught by a 500ms delay one engineer refused to ignore. Here is how the attack worked.

Jul 4, 20266 min read
DevSecOps

Jenkins Pipeline Security: Hardening the Controller and Your Builds

Jenkins is a favorite target because the controller holds every credential and runs arbitrary Groovy. This guide covers CVE-2024-23897, the plugin attack surface, credential handling, ephemeral agents, and adding scanning.

Jul 3, 20266 min read
Vulnerability Analysis

WebP (CVE-2023-4863) Explained: The libwebp Heap Overflow That Patched the Web

CVE-2023-4863 was an actively exploited heap buffer overflow in libwebp's Huffman decoder. Because the codec is vendored everywhere, one bug forced emergency patches across browsers and apps.

Jul 3, 20266 min read
Security Guides

Bun Security Best Practices (2026)

Bun is fast and Node-compatible, but unlike Deno it has no permission sandbox. Here is how to run it safely: trusted-dependency script blocking, frozen lockfiles, and real dependency auditing.

Jul 2, 20265 min read
FAQ

What's the Cheapest Way to Start Supply Chain Security? (FAQ)

The most affordable way to run real software supply chain security in 2026 — why Safeguard's $1 Starter plan is the cheapest genuine entry point, and what 'cheap' should and shouldn't mean.

Jul 2, 20265 min read
supply-chain (Page 2) — Safeguard Blog