supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
757 articles
NuGet Signed Packages Verification
NuGet supports signed packages — author signatures, repository signatures, and verification modes. A practical guide to enforcing it properly.
FIN7: Financial-Sector Supply Chain Tradecraft
FIN7 has spent a decade evolving from POS malware to supply chain operations. A look at the current tradecraft and the implications for financial-sector defenders.
Automotive ISO/SAE 21434: Supply Chain Implications
ISO/SAE 21434 makes cybersecurity a type-approval requirement. Here is how the standard reshapes OEM and tier-N software supply chain obligations.
Migrating VPN to Zero Trust: Supply Chain
A phased playbook for retiring corporate VPN concentrators in favor of zero trust network access, with specific guidance for protecting software supply chain pipelines.
Java Modules Supply Chain Security
The Java Platform Module System arrived in Java 9 and has aged into quiet maturity. What JPMS actually does for supply chain posture in enterprise Java.
OpenSSF Launches SIREN: A Mailing List for Open Source Threat Intelligence
The Open Source Security Foundation introduces SIREN, a dedicated mailing list for sharing real-time threat intelligence about attacks targeting open source ecosystems.
Play Ransomware: Supply Chain Exploitation Through Managed Service Providers
Play ransomware refined the MSP attack model, exploiting FortiOS and RDP vulnerabilities to cascade through managed service providers into hundreds of downstream organizations.
Signing Python Wheels in Production
PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time, and deal with the rough edges.
Concourse CI Supply Chain Hardening
A practical hardening guide for Concourse CI: resource type trust, worker isolation, team-level RBAC, and the var source security that underpins the platform's multi-tenancy model.
Earthly Containerized Builds Supply Chain
Earthly combines container isolation with Makefile-style ergonomics. Here's what that means for supply chain posture, with real Earthfile examples.
AWS IAM Roles Anywhere and the Supply Chain
IAM Roles Anywhere lets workloads outside AWS assume IAM roles using X.509 certificates. It is also becoming the authentication layer for supply chain tools. Here is what the threat model looks like.
JRuby Supply Chain Considerations
JRuby sits at the intersection of the Ruby and Java supply chains, and the security story reflects both. A look at how JRuby's dual nature affects gem security and what defenders should know.