supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
SLSA v1.0: Supply-chain Levels for Software Artifacts Reaches Maturity
SLSA v1.0 simplifies the framework and makes it practical to adopt. Here's what changed and how to implement it.
Post-Breach Supply Chain Hardening: Lessons from Real Incidents
After a supply chain breach, the remediation window is your best opportunity to implement controls that should have existed before the incident. This guide covers what to harden and in what order.
How to Pin GitHub Actions to SHAs Correctly
A hands-on guide to pinning every third-party GitHub Action to a full commit SHA, automating updates with Dependabot, and avoiding the common pitfalls.
Open Source Intelligence (OSINT) for Supply Chain Security
How OSINT techniques can uncover supply chain threats hiding in plain sight—from compromised packages to suspicious maintainer activity.
Maven Plugin Verification: Trusting Your Build-Time Dependencies
Maven plugins execute during your build with full system access. Verifying them is harder than verifying runtime dependencies, and most teams skip it.
Software Escrow and Supply Chain Continuity Planning
What happens when a critical vendor disappears? Software escrow arrangements protect your business continuity, but most organizations get the implementation wrong.
The Shared Responsibility Model for Software Supply Chain Security
Cloud providers defined the shared responsibility model for infrastructure. Software supply chains need the same clarity about who is responsible for what.
Post-Install Hooks in Package Managers: The Universal Backdoor Mechanism
Almost every package manager supports post-install hooks that run arbitrary code. This is the most abused feature in supply chain attacks.
3CX Desktop App: Anatomy of a Cascading Breach
How a Trading Technologies installer from 2022 poisoned the 3CX build pipeline in 2023, producing the first publicly confirmed cascading supply chain attack.
Chaos Engineering for Supply Chain Resilience: Breaking Your Build to Make It Stronger
Chaos engineering principles applied to the software supply chain reveal hidden dependencies, single points of failure, and degradation paths that only surface under stress.
FISMA and Federal Software Security: Supply Chain Requirements Explained
FISMA's authorization framework creates strict requirements for software in federal systems. Here's how supply chain security fits into the ATO process.
Threat Modeling the Software Supply Chain
Traditional threat modeling focuses on your code. Supply chain threat modeling extends to every tool, dependency, and process that touches your software. Here is how to do it systematically.