supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
How to Detect Typosquatting in Package Installs
Build a pre-install guard that catches typosquatted npm, PyPI, and RubyGems dependencies using Levenshtein distance, download-count heuristics, and registry APIs.
Software Component Lifecycle Management
Components do not stay secure forever. This guide covers managing the full lifecycle of software dependencies -- from adoption through deprecation -- with a focus on security and operational continuity.
How to Security Audit an Open Source Project Before Adoption
Adopting an open source dependency is a trust decision. This guide provides a structured methodology for evaluating the security posture of open source projects before adding them to your supply chain.
Akira Ransomware: Exploiting VPN Vulnerabilities for Supply Chain Entry
Akira ransomware systematically exploited Cisco VPN vulnerabilities as its primary entry vector, targeting organizations through the network infrastructure they trusted most.
Platform Engineering and Security: Building Guardrails, Not Gates
Platform engineering teams are becoming the stewards of developer experience. Here's how to make supply chain security a built-in capability, not a bolt-on burden.
Ansible Galaxy Security Risks: The Infrastructure Supply Chain You Forgot About
Ansible Galaxy roles and collections execute with root privileges on your infrastructure. Most teams apply zero security scrutiny to them.
Gradle Plugin Security Risks: The Code That Runs Before Your Code
Gradle plugins execute during your build with full access to your environment. Most teams never audit them. Here is why that is dangerous.
npm Registry Governance and the Security of node_modules
The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.
Software Supply Chain Security in 2023: Year in Review
From the MOVEit mass exploitation to AI model risks, 2023 proved that supply chain attacks are accelerating in both sophistication and scale. Here's what we learned.
Building a Security Automation Playbook Library for Supply Chain Defense
Security automation playbooks codify response procedures into executable workflows. A well-designed playbook library turns supply chain incidents from fire drills into routine operations.
Red Team Supply Chain Attack Simulation
How red teams can simulate real-world supply chain attacks to test organizational defenses—from dependency confusion to build pipeline compromise.
Puppet Forge Supply Chain Security: Trusting Your Configuration Management
Puppet modules from the Forge run with root-level access on your servers. The supply chain security of these modules deserves the same scrutiny as any dependency.