supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
CDN Poisoning Attacks: How Cached Content Becomes a Weapon
CDN cache poisoning turns your performance infrastructure into an attack vector. When the cache serves malicious content to every user, the blast radius is massive and immediate.
SBOMs for Serverless Applications: What Changes and What Doesn't
Serverless doesn't mean dependency-free. Here's how to generate and manage SBOMs for Lambda functions, Azure Functions, and Cloud Functions.
Securing AI/ML Pipelines: The Supply Chain You're Not Watching
AI/ML pipelines introduce unique supply chain risks from training data to model distribution. Most organizations have zero visibility into this attack surface.
Symlink Attacks in Package Managers: Following Links to Trouble
Symbolic links in package archives can redirect file operations to unintended locations. Here is how this old trick still works against modern tools.
Vendor Concentration Risk in Software: When One Vendor Failure Breaks Everything
Depending on too few vendors creates systemic risk. The CrowdStrike outage proved it. Here is how to assess and manage vendor concentration in your software stack.
Software Supply Chain Security in 2022: The Year Everything Changed
From LastPass to Log4j's aftermath to new regulations, 2022 was the year supply chain security went from niche concern to board-level priority.
Software Vendor Risk Scoring Methodology
A practical framework for scoring and ranking software vendor risk based on supply chain security posture, vulnerability history, and development practices.
Single Points of Failure in Software Supply Chains
Your software supply chain has single points of failure that would take down your entire operation. Most organizations have never mapped them.
Cargo Build Script Security: What build.rs Can Do to Your Machine
Rust build scripts run arbitrary code during compilation. Here is what they can access and how to evaluate the risk in your dependency tree.
GitHub Code Signing Bypass: When the Trust Anchor Fails
A vulnerability in GitHub's commit signature verification allowed attackers to forge signed commits. The flaw undermined the integrity guarantees that code signing is supposed to provide.
5G Networks and the Software Supply Chain Risks Nobody Talks About
5G networks are software-defined infrastructure built on open-source components. The supply chain implications are enormous and under-discussed.
Penetration Testing the Software Supply Chain
Traditional pentests focus on the application. Supply chain pentesting targets the build pipeline, dependency resolution, and distribution mechanisms. Here is how to approach it.