supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
757 articles
Medusa Ransomware: How Supply Chain Infiltration Became Their Signature Move
Medusa ransomware operators have refined a playbook that targets managed service providers and software vendors as stepping stones into hundreds of downstream victims.
Scoping a Vulnerability Bounty Program for Supply Chain
How to scope a bug bounty program that addresses supply chain risks: in-scope assets, payout tiers, triage workflow, and avoiding the trap of dependency CVE bounties.
Rust Procedural Macros: Security Risks
Proc macros are Rust code that runs at compile time with the privileges of the developer. They are one of the most underexamined pieces of the Rust supply chain.
Buildkite Supply Chain Hardening
A practical hardening guide for Buildkite: agent isolation, pipeline upload security, plugin risks, and the agent-token rotation strategy that keeps the trust model intact.
Differential Testing for Supply Chain Vulns
Differential testing compares the behavior of multiple implementations of the same specification. In supply-chain work, it surfaces bugs that nobody else can see.
Buck2 (Meta) Build Security Considerations
A security engineer's look at Buck2, Meta's open-source build system, including Starlark sandbox properties, remote execution, and actual supply chain guarantees.
On-Prem to Cloud Supply Chain Continuity
A year inside a financial services cloud migration, and how to keep your software supply chain intact when everything else about the environment changes.
React Native Supply Chain Risks in 2024
React Native bundles native modules, JavaScript dependencies, and CodePush-style OTA updates into one app. The supply chain is vast and the remediation path is slower than web apps. Here is where it actually goes wrong.
Typosquatting Meets AI: The New Threat of AI-Generated Package Names
AI code assistants recommend packages that do not exist, and attackers are registering those hallucinated names. This new typosquatting vector exploits the trust developers place in AI suggestions.
CISA's SBOM Sharing Lifecycle: A Framework for Practical Adoption
CISA releases updated guidance on SBOM sharing practices, addressing the full lifecycle from generation to consumption across supplier and buyer relationships.
dotnet restore Reproducibility Concerns
dotnet restore is supposed to be deterministic. In practice it is deterministic in ways that matter less and non-deterministic in ways that matter more.
Kimsuky Developer Targeting Analysis
Kimsuky has pivoted from diplomats to developers. A look at the tradecraft behind its supply-chain-flavored operations and what engineering orgs should do about it.