supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Cross-Language Dependency Analysis: Bridging npm, pip, Maven, and Beyond
Modern applications use multiple languages and package ecosystems. Analyzing dependencies across these boundaries requires techniques that single-ecosystem tools cannot provide.
Go Module Checksum Database: How It Secures Your Dependencies
Go checksum database is one of the most underappreciated supply chain security features in any language ecosystem. Here is how it works and where it falls short.
Web3 Smart Contract Dependencies: A Supply Chain Security Blind Spot
Smart contracts import code from unaudited libraries, creating supply chain risks that have already led to billions in losses. The Web3 ecosystem needs better tooling.
Chrome Extension Manifest V3: What It Means for Browser Supply Chain Security
Chrome's Manifest V3 restricts extension capabilities in the name of security. The changes help, but they do not solve the browser extension supply chain problem.
Go Modules Checksum Database: Five Years In
sum.golang.org went public in August 2019. After four years of production, here is what the Go checksum database got right and what it did not.
BuildKit and Buildah: Building Containers Without Giving Away the Keys
Container build tools have direct access to your source code, secrets, and registries. BuildKit and Buildah offer security features that most teams ignore. Here is what to use and why.
Email Security and Supply Chain Phishing Attacks
Phishing remains the top initial access vector for supply chain attacks. Targeted emails against developers, maintainers, and DevOps engineers open the door to code injection, credential theft, and pipeline compromise.
Maven Dependency Resolution Attacks: Exploiting Java's Build System
Maven's dependency resolution mechanism can be exploited through repository poisoning, dependency confusion, and POM manipulation. Here is what Java teams need to know.
Automating Typosquatting Detection for Package Registries
Typosquatting remains one of the most effective supply chain attacks. Automated detection using string distance algorithms, behavioral analysis, and registry monitoring can catch malicious packages before they reach your builds.
Australia's Critical Infrastructure Security Act and Software Supply Chain Risk
Australia's SOCI Act imposes strict cybersecurity obligations on critical infrastructure. Here's what software suppliers need to understand.
SBOM Sharing and Distribution Best Practices
Generating SBOMs is only half the battle. Sharing them securely and effectively with stakeholders requires careful planning and tooling.
Defense in Depth for the Software Supply Chain
No single control stops supply chain attacks. Defense in depth — layered controls across the entire software lifecycle — is the only strategy that works against sophisticated adversaries.