Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

DevSecOps

SLSA v1.0: Supply-chain Levels for Software Artifacts Reaches Maturity

SLSA v1.0 simplifies the framework and makes it practical to adopt. Here's what changed and how to implement it.

May 1, 20236 min read
Software Supply Chain Security

Post-Breach Supply Chain Hardening: Lessons from Real Incidents

After a supply chain breach, the remediation window is your best opportunity to implement controls that should have existed before the incident. This guide covers what to harden and in what order.

Apr 22, 20237 min read
DevSecOps

How to Pin GitHub Actions to SHAs Correctly

A hands-on guide to pinning every third-party GitHub Action to a full commit SHA, automating updates with Dependabot, and avoiding the common pitfalls.

Apr 18, 20234 min read
Threat Intelligence

Open Source Intelligence (OSINT) for Supply Chain Security

How OSINT techniques can uncover supply chain threats hiding in plain sight—from compromised packages to suspicious maintainer activity.

Apr 18, 20236 min read
Software Supply Chain Security

Maven Plugin Verification: Trusting Your Build-Time Dependencies

Maven plugins execute during your build with full system access. Verifying them is harder than verifying runtime dependencies, and most teams skip it.

Apr 15, 20234 min read
Risk Management

Software Escrow and Supply Chain Continuity Planning

What happens when a critical vendor disappears? Software escrow arrangements protect your business continuity, but most organizations get the implementation wrong.

Apr 12, 20237 min read
Risk Management

The Shared Responsibility Model for Software Supply Chain Security

Cloud providers defined the shared responsibility model for infrastructure. Software supply chains need the same clarity about who is responsible for what.

Apr 12, 20235 min read
Software Supply Chain Security

Post-Install Hooks in Package Managers: The Universal Backdoor Mechanism

Almost every package manager supports post-install hooks that run arbitrary code. This is the most abused feature in supply chain attacks.

Apr 8, 20234 min read
Incident Analysis

3CX Desktop App: Anatomy of a Cascading Breach

How a Trading Technologies installer from 2022 poisoned the 3CX build pipeline in 2023, producing the first publicly confirmed cascading supply chain attack.

Apr 5, 20235 min read
DevSecOps

Chaos Engineering for Supply Chain Resilience: Breaking Your Build to Make It Stronger

Chaos engineering principles applied to the software supply chain reveal hidden dependencies, single points of failure, and degradation paths that only surface under stress.

Apr 5, 20235 min read
Compliance

FISMA and Federal Software Security: Supply Chain Requirements Explained

FISMA's authorization framework creates strict requirements for software in federal systems. Here's how supply chain security fits into the ATO process.

Mar 28, 20236 min read
Threat Modeling

Threat Modeling the Software Supply Chain

Traditional threat modeling focuses on your code. Supply chain threat modeling extends to every tool, dependency, and process that touches your software. Here is how to do it systematically.

Mar 22, 20238 min read
supply-chain (Page 54) — Safeguard Blog