Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

Open Source Security

Python Packaging Authority and the Security of pip install

Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.

Sep 15, 20237 min read
Best Practices

Electron App Supply Chain Security Posture

Electron apps ship Chromium, Node.js, and your entire npm tree to a user's desktop, running with the privileges of the logged-in user. The supply chain implications are severe enough that they deserve their own category of threat model.

Sep 12, 20237 min read
Application Security

API Security Through the Supply Chain Lens

APIs are both an attack surface and a supply chain dependency. This guide examines API security risks from authentication to third-party integrations.

Sep 12, 20237 min read
Compliance

Canada's Cybersecurity Strategy and the Push for SBOM Adoption

Canada is integrating software supply chain security into its national cyber strategy. Here's where SBOMs fit in and what's coming next.

Sep 12, 20235 min read
Supply Chain Attacks

SLSA v1.0: Software Provenance Attestation Goes Mainstream

The SLSA framework reached v1.0 in April 2023, providing a practical framework for software supply chain integrity that's already being adopted by major package registries.

Sep 10, 20235 min read
Emerging Technology

Edge Computing and the Distributed Supply Chain Security Challenge

As compute moves to the edge, software supply chain security must adapt to environments with limited visibility, constrained resources, and vast attack surfaces.

Sep 8, 20236 min read
Software Supply Chain Security

Build System Poisoning Techniques: How Attackers Corrupt Your Pipeline

Build systems transform source code into deployable artifacts. When attackers poison the build, every artifact is compromised. Here is how it happens.

Sep 8, 20234 min read
Open Source Security

Pipenv Security Posture Review

Pipenv is still in production at many companies. Here is an honest look at its security model, its maintenance status, and when it is time to migrate away.

Aug 30, 20236 min read
Software Supply Chain Security

Secure Package Publishing Checklist for Open Source Maintainers

Publishing a package to a public registry makes your code part of thousands of supply chains. This checklist covers the security controls that responsible maintainers implement before and during publication.

Aug 28, 20237 min read
Compliance

Japan's Approach to Cybersecurity and Software Supply Chain Security

Japan is rapidly building cybersecurity policy around software supply chain risk. Here's what the regulatory landscape looks like and where it's headed.

Aug 20, 20236 min read
Software Supply Chain Security

pip Install Hooks Security: The Python Packaging Backdoor

Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.

Aug 18, 20234 min read
Threat Intelligence

Threat Hunting in the Software Supply Chain

Proactive threat hunting techniques adapted for software supply chain security—because waiting for alerts isn't enough when adversaries hide in your dependencies.

Aug 18, 20236 min read
supply-chain (Page 50) — Safeguard Blog