supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Python Packaging Authority and the Security of pip install
Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.
Electron App Supply Chain Security Posture
Electron apps ship Chromium, Node.js, and your entire npm tree to a user's desktop, running with the privileges of the logged-in user. The supply chain implications are severe enough that they deserve their own category of threat model.
API Security Through the Supply Chain Lens
APIs are both an attack surface and a supply chain dependency. This guide examines API security risks from authentication to third-party integrations.
Canada's Cybersecurity Strategy and the Push for SBOM Adoption
Canada is integrating software supply chain security into its national cyber strategy. Here's where SBOMs fit in and what's coming next.
SLSA v1.0: Software Provenance Attestation Goes Mainstream
The SLSA framework reached v1.0 in April 2023, providing a practical framework for software supply chain integrity that's already being adopted by major package registries.
Edge Computing and the Distributed Supply Chain Security Challenge
As compute moves to the edge, software supply chain security must adapt to environments with limited visibility, constrained resources, and vast attack surfaces.
Build System Poisoning Techniques: How Attackers Corrupt Your Pipeline
Build systems transform source code into deployable artifacts. When attackers poison the build, every artifact is compromised. Here is how it happens.
Pipenv Security Posture Review
Pipenv is still in production at many companies. Here is an honest look at its security model, its maintenance status, and when it is time to migrate away.
Secure Package Publishing Checklist for Open Source Maintainers
Publishing a package to a public registry makes your code part of thousands of supply chains. This checklist covers the security controls that responsible maintainers implement before and during publication.
Japan's Approach to Cybersecurity and Software Supply Chain Security
Japan is rapidly building cybersecurity policy around software supply chain risk. Here's what the regulatory landscape looks like and where it's headed.
pip Install Hooks Security: The Python Packaging Backdoor
Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.
Threat Hunting in the Software Supply Chain
Proactive threat hunting techniques adapted for software supply chain security—because waiting for alerts isn't enough when adversaries hide in your dependencies.