Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

757 articles

Ransomware

Medusa Ransomware: How Supply Chain Infiltration Became Their Signature Move

Medusa ransomware operators have refined a playbook that targets managed service providers and software vendors as stepping stones into hundreds of downstream victims.

Nov 5, 20246 min read
Best Practices

Scoping a Vulnerability Bounty Program for Supply Chain

How to scope a bug bounty program that addresses supply chain risks: in-scope assets, payout tiers, triage workflow, and avoiding the trap of dependency CVE bounties.

Oct 30, 20246 min read
Open Source Security

Rust Procedural Macros: Security Risks

Proc macros are Rust code that runs at compile time with the privileges of the developer. They are one of the most underexamined pieces of the Rust supply chain.

Oct 28, 20246 min read
DevSecOps

Buildkite Supply Chain Hardening

A practical hardening guide for Buildkite: agent isolation, pipeline upload security, plugin risks, and the agent-token rotation strategy that keeps the trust model intact.

Oct 25, 20248 min read
Vulnerability Management

Differential Testing for Supply Chain Vulns

Differential testing compares the behavior of multiple implementations of the same specification. In supply-chain work, it surfaces bugs that nobody else can see.

Oct 25, 20247 min read
DevSecOps

Buck2 (Meta) Build Security Considerations

A security engineer's look at Buck2, Meta's open-source build system, including Starlark sandbox properties, remote execution, and actual supply chain guarantees.

Oct 22, 20247 min read
Best Practices

On-Prem to Cloud Supply Chain Continuity

A year inside a financial services cloud migration, and how to keep your software supply chain intact when everything else about the environment changes.

Oct 22, 20247 min read
Best Practices

React Native Supply Chain Risks in 2024

React Native bundles native modules, JavaScript dependencies, and CodePush-style OTA updates into one app. The supply chain is vast and the remediation path is slower than web apps. Here is where it actually goes wrong.

Oct 22, 20247 min read
Software Supply Chain Security

Typosquatting Meets AI: The New Threat of AI-Generated Package Names

AI code assistants recommend packages that do not exist, and attackers are registering those hallucinated names. This new typosquatting vector exploits the trust developers place in AI suggestions.

Oct 20, 20247 min read
Compliance & Frameworks

CISA's SBOM Sharing Lifecycle: A Framework for Practical Adoption

CISA releases updated guidance on SBOM sharing practices, addressing the full lifecycle from generation to consumption across supplier and buyer relationships.

Oct 15, 20246 min read
Open Source Security

dotnet restore Reproducibility Concerns

dotnet restore is supposed to be deterministic. In practice it is deterministic in ways that matter less and non-deterministic in ways that matter more.

Oct 12, 20247 min read
Industry Analysis

Kimsuky Developer Targeting Analysis

Kimsuky has pivoted from diplomats to developers. A look at the tradecraft behind its supply-chain-flavored operations and what engineering orgs should do about it.

Oct 10, 20246 min read
supply-chain (Page 35) — Safeguard Blog