Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

Open Source Security

Maven Enforcer Plugin Security Rules

Maven Enforcer is a blunt instrument most teams underuse. Here is how to turn it into a supply chain guardrail that blocks bad versions, bad repositories, and bad dependency graphs before they ship.

Mar 25, 20247 min read
Software Supply Chain Security

Dependency Firewalls: Concept, Architecture, and Implementation

A dependency firewall sits between your build system and public registries, filtering packages based on security policies. Here is how to design and implement one.

Mar 25, 20247 min read
Regulatory Compliance

Defense Industrial Base Supply Chain and CMMC

How the Defense Industrial Base is adapting its software supply chain to CMMC 2.0, NIST SP 800-171, and DFARS flow-down obligations.

Mar 22, 20247 min read
Container Security

Wolfi OS: The Linux Distribution Built for Secure Containers

Wolfi is not a general-purpose Linux distro. It exists to solve one problem: provide secure, minimal, up-to-date packages for container images. Here is why that matters and how to use it.

Mar 22, 20246 min read
Supply Chain Security

npm Lifecycle Scripts: The Hidden Attack Surface in Your Node.js Supply Chain

npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest and least-understood attack surfaces in modern software development.

Mar 20, 20247 min read
Open Source Security

Rust Build Scripts: A Supply Chain Risk Profile

Why build.rs is the highest-leverage attack surface in the Rust ecosystem, with concrete examples from 2023 and 2024 incidents.

Mar 20, 20246 min read
Best Practices

AWS Lambda Layers: Supply Chain Risks

Lambda layers feel like a convenience but they are a supply chain attack surface that most teams do not treat as code. Here is how they get abused and what to do about it.

Mar 18, 20247 min read
Incident Analysis

Okta 2022-2023 Incidents: Supply Chain Lessons

A retrospective on Okta's string of security incidents from 2022 through 2023 and what they teach us about identity providers as critical supply chain dependencies.

Mar 18, 20246 min read
Open Source Security

Single-Maintainer Bus Factor Risk in OSS

A single person maintaining critical infrastructure is one medical emergency, burnout, or coercion event away from a supply chain crisis. The bus factor is not a theoretical metric.

Mar 18, 20246 min read
Secure Development

Node.js Permission Model: Restricting What Your Code Can Do

Node.js finally has an experimental permission model. It is a significant step toward containing supply chain attacks, but it has important limitations.

Mar 18, 20245 min read
Best Practices

Vault Supply Chain Integration Patterns

HashiCorp Vault is a Swiss Army knife for secrets, but most teams use it as a glorified key-value store. A walkthrough of the integration patterns that make Vault actually useful in a CI/CD supply chain.

Mar 15, 20247 min read
Best Practices

Azure Functions Supply Chain Security

Azure Functions hide a surprising amount of supply chain risk — Oryx builds, run-from-package, extension bundles, and the way deployment slots interact with identity.

Mar 12, 20248 min read
supply-chain (Page 44) — Safeguard Blog