verification
Safeguard articles tagged "verification" — guides, analysis, and best practices for software supply chain and application security.
8 articles
OWASP ASVS 5.0 Adoption Guide
OWASP ASVS 5.0 restructured the verification levels and added new requirements for modern stacks. A practical adoption guide for teams using ASVS as their security baseline.
Provenance Attestation Consumer Workflow
Generating provenance is half the story. Consuming it correctly, at the right points in the pipeline, is where the security value actually materialises.
How to Verify a PyPI Package Before Install
A practical pre-install verification workflow for PyPI packages covering sigstore attestations, maintainer checks, and sdist auditing.
Maven Plugin Verification: Trusting Your Build-Time Dependencies
Maven plugins execute during your build with full system access. Verifying them is harder than verifying runtime dependencies, and most teams skip it.
Software Update Signing and Verification: Getting It Right
Signed updates are table stakes for software distribution. But the signing and verification process has pitfalls that undermine the entire security model.
Build Reproducibility: A Verification Guide
If you cannot reproduce a build bit-for-bit, you cannot verify it was not tampered with. This guide covers deterministic builds, reproducibility verification, and why it matters for supply chain trust.
Reproducible Builds: The Gold Standard for Supply Chain Integrity
If you can't rebuild a binary from source and get the same result, you can't verify that the binary matches the source. Reproducible builds close this fundamental trust gap.
Sigstore and Cosign: Software Signing for the Rest of Us
Sigstore makes software signing accessible by eliminating the pain of key management. Here's how Cosign, Fulcio, and Rekor work together to verify software integrity.