supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Third-Party Risk Management for Software Vendors
A practical TPRM program for software vendors covering intake, tiering, annual review, SBOM ingestion, and continuous monitoring with staffing ratios and budgets.
Developer Workstation Forensics for Supply Chain
Forensic procedures for a developer workstation that may have executed a malicious package, from live triage through full imaging.
Open Source AI Model Security: The Emerging Threat Landscape
As open source AI models proliferate, their security implications extend far beyond traditional software vulnerabilities. Model poisoning, supply chain tampering, and unsafe deserialization create new attack surfaces.
Spring Dependency Management Supply Chain
Spring Boot's dependency management is the unsung hero of the Java ecosystem, and it is also a supply chain seam worth understanding. Here is how BOMs, starters, and transitive version coercion shape what actually ships.
Chronicle Security Supply Chain Queries
Writing YARA-L detection rules and UDM queries in Google Chronicle (now Security Operations) to catch software supply chain threats at scale.
Critical Infrastructure Software Supply Chain
How the 16 critical infrastructure sectors are absorbing software supply chain obligations under PPD-21, NSM-22, and CISA's emerging frameworks.
Twilio 2022 Incidents: Supply Chain Lessons
Twilio disclosed two social engineering incidents in 2022 that cascaded through its customer base; the supply chain lessons remain relevant for any B2B vendor.
EU NIS2 Directive: What Software Supply Chain Teams Need to Know
The NIS2 Directive imposes new cybersecurity obligations across the EU, with specific requirements for supply chain risk management that affect software vendors and their customers.
PyPI Supply Chain Attacks: Q1 2024 Roundup
Q1 2024 brought typosquats, stealer campaigns, and a week-long new-user freeze on PyPI. Here is what the attacks looked like and how to defend.
Conti Ransomware Supply Chain Patterns
Before Conti splintered in 2022, its affiliates turned MSPs, RMM tools, and identity infrastructure into repeatable supply chain attack paths.
RubyGems 2FA Enforcement Analysis
A look at how RubyGems.org rolled out mandatory 2FA for high-traffic gem maintainers, what it has caught, and what gaps still remain in the account-compromise defense story.
Sigstore Rekor Transparency Log Operations
Rekor is the transparency log behind Sigstore, and understanding its operational model matters more than most teams realise. Here is how we run against it in production.