Safeguard
Tag

third-party-risk

Safeguard articles tagged "third-party-risk" — guides, analysis, and best practices for software supply chain and application security.

54 articles

Threat Intelligence

The Klue Breach: One Legacy Credential Turned Into a SaaS Supply Chain Attack on Salesforce and Gong

Attackers used a disused legacy credential at marketing-intelligence vendor Klue to push code that harvested customer OAuth tokens, then walked into Salesforce and Gong instances. A textbook SaaS-to-SaaS supply chain pivot.

Jun 17, 20266 min read
AI Security

AIBOM in 2026: Treating AI Models as a Software Supply Chain

The AI bill of materials is graduating from optional security artifact to procurement requirement. Here is what AIBOM/ML-BOM actually tracks in 2026, how it ties to the EU AI Act, and where it still falls short.

Jun 15, 20267 min read
Strategy

Platformization vs Best-of-Breed: The 2026 Security Consolidation Debate

RSAC 2026 made it official: the industry is consolidating. But platform breadth buys you integration and data gravity at the cost of lock-in and concentration risk. Here is where consolidation genuinely helps, and where it quietly hurts.

Jun 14, 20267 min read
Industry Events

Infosecurity Europe 2026's Cyber Startup Programme: A New Pipeline for Early-Stage Security

Infosecurity Europe debuted a Cyber Startup Programme, a live-pitch Startup Award, and a dedicated Cyber Startups Zone in June 2026. Here is what it actually delivered for early-stage founders working on agentic AI security and software supply chain risk.

Jun 8, 20267 min read
Threat Intelligence

OAuth Token Theft: The SaaS-to-SaaS Supply Chain Is the New Soft Target

The Klue and Salesloft Drift breaches showed the same pattern: steal one integration's OAuth tokens, inherit trusted access into hundreds of customer SaaS instances. Here is why third-party app grants are the supply chain risk most teams still aren't governing.

Jun 8, 20267 min read
Supply Chain Security

Why postinstall Scripts Became the Frontline of the Software Supply Chain Attack

Install-time script execution turned npm install and pip install into code-execution events. Here is how 2026's wave of attacks works, and the lockfile, allowlist, and sandbox discipline that actually stops it.

Jun 7, 20267 min read
Industry Events

Gartner SRM Summit 2026 Recap: Agentic AI Security and the Post-Quantum Clock

Gartner's Security & Risk Management Summit landed on four forces every security leader now has to navigate. Two of them — agentic AI security and the post-quantum world — dominated the room. Here's our honest read on what mattered.

Jun 4, 20267 min read
Strategy

Post-Quantum Cryptography in 2026: Where Enterprise Migration Actually Stands

The NIST standards are final, the deadlines are real, and the harvest-now-decrypt-later clock is running. Here is an honest look at what enterprise PQC migration looks like in 2026 — and why crypto-agility matters more than picking an algorithm.

Jun 1, 20267 min read
Healthcare Security

NYC Health + Hospitals Vendor Breach: 1.8 Million Records, Including Biometrics, Exposed (May 2026)

A months-long intrusion through a third-party vendor exposed medical records, government IDs, geolocation, and fingerprint and palm-print biometrics for at least 1.8 million people at the largest U.S. public health system. We unpack the dwell time and the third-party blast radius.

May 19, 202613 min read
Compliance

NY DFS 23 NYCRR 500 amendments and third-party software risk in 2026

The November 2023 amendments to NY DFS 23 NYCRR Part 500 tightened third-party service provider requirements and added new obligations around software supply chain risk. Covered entities are now in steady-state implementation.

May 14, 20268 min read
Compliance

DORA Compliance for Fintech Engineering Teams

DORA has applied since January 2025. For engineers that means ICT asset inventories, 4-hour incident classification, TLPT, and a register of every software supplier.

Apr 15, 20266 min read
Industry Events

RSAC 2026's Five Most Dangerous Attack Techniques: Every One Now Runs on AI

For the first time in the history of the SANS keynote, all five of the most dangerous new attack techniques carry an AI dimension — from AI-generated zero-days to your vendor's vendor's vendor. Here's the honest breakdown, plus what defenders should actually do.

Mar 29, 20267 min read
third-party-risk (Page 2) — Safeguard Blog