third-party-risk
Safeguard articles tagged "third-party-risk" — guides, analysis, and best practices for software supply chain and application security.
54 articles
The Klue Breach: One Legacy Credential Turned Into a SaaS Supply Chain Attack on Salesforce and Gong
Attackers used a disused legacy credential at marketing-intelligence vendor Klue to push code that harvested customer OAuth tokens, then walked into Salesforce and Gong instances. A textbook SaaS-to-SaaS supply chain pivot.
AIBOM in 2026: Treating AI Models as a Software Supply Chain
The AI bill of materials is graduating from optional security artifact to procurement requirement. Here is what AIBOM/ML-BOM actually tracks in 2026, how it ties to the EU AI Act, and where it still falls short.
Platformization vs Best-of-Breed: The 2026 Security Consolidation Debate
RSAC 2026 made it official: the industry is consolidating. But platform breadth buys you integration and data gravity at the cost of lock-in and concentration risk. Here is where consolidation genuinely helps, and where it quietly hurts.
Infosecurity Europe 2026's Cyber Startup Programme: A New Pipeline for Early-Stage Security
Infosecurity Europe debuted a Cyber Startup Programme, a live-pitch Startup Award, and a dedicated Cyber Startups Zone in June 2026. Here is what it actually delivered for early-stage founders working on agentic AI security and software supply chain risk.
OAuth Token Theft: The SaaS-to-SaaS Supply Chain Is the New Soft Target
The Klue and Salesloft Drift breaches showed the same pattern: steal one integration's OAuth tokens, inherit trusted access into hundreds of customer SaaS instances. Here is why third-party app grants are the supply chain risk most teams still aren't governing.
Why postinstall Scripts Became the Frontline of the Software Supply Chain Attack
Install-time script execution turned npm install and pip install into code-execution events. Here is how 2026's wave of attacks works, and the lockfile, allowlist, and sandbox discipline that actually stops it.
Gartner SRM Summit 2026 Recap: Agentic AI Security and the Post-Quantum Clock
Gartner's Security & Risk Management Summit landed on four forces every security leader now has to navigate. Two of them — agentic AI security and the post-quantum world — dominated the room. Here's our honest read on what mattered.
Post-Quantum Cryptography in 2026: Where Enterprise Migration Actually Stands
The NIST standards are final, the deadlines are real, and the harvest-now-decrypt-later clock is running. Here is an honest look at what enterprise PQC migration looks like in 2026 — and why crypto-agility matters more than picking an algorithm.
NYC Health + Hospitals Vendor Breach: 1.8 Million Records, Including Biometrics, Exposed (May 2026)
A months-long intrusion through a third-party vendor exposed medical records, government IDs, geolocation, and fingerprint and palm-print biometrics for at least 1.8 million people at the largest U.S. public health system. We unpack the dwell time and the third-party blast radius.
NY DFS 23 NYCRR 500 amendments and third-party software risk in 2026
The November 2023 amendments to NY DFS 23 NYCRR Part 500 tightened third-party service provider requirements and added new obligations around software supply chain risk. Covered entities are now in steady-state implementation.
DORA Compliance for Fintech Engineering Teams
DORA has applied since January 2025. For engineers that means ICT asset inventories, 4-hour incident classification, TLPT, and a register of every software supplier.
RSAC 2026's Five Most Dangerous Attack Techniques: Every One Now Runs on AI
For the first time in the history of the SANS keynote, all five of the most dangerous new attack techniques carry an AI dimension — from AI-generated zero-days to your vendor's vendor's vendor. Here's the honest breakdown, plus what defenders should actually do.