Best Practices
The Annual Vendor Security Review Cadence
A complete timeline and workflow for running the annual vendor security review cycle, staffed sustainably, with clear deliverables and audit-ready evidence.
Feb 6, 20246 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A complete timeline and workflow for running the annual vendor security review cycle, staffed sustainably, with clear deliverables and audit-ready evidence.
How UEFI Secure Boot, shim, and Microsoft third-party UEFI CA connect to software supply chain risk in OS and firmware update pipelines.
Security debt is inevitable, but it does not have to be unmanageable. Learn how to quantify, prioritize, and systematically pay down your organization's security debt.
Express remains the default Node.js framework at most shops, and its middleware ecosystem is a thirteen-year accumulation of packages, some abandoned, some indispensable. This is a pragmatic audit of what belongs in a 2023 Express stack.
Most vulnerability triage processes are broken. Here is how to design a workflow that reduces noise, routes issues to the right owners, and actually gets things fixed.
Electron apps ship Chromium, Node.js, and your entire npm tree to a user's desktop, running with the privileges of the logged-in user. The supply chain implications are severe enough that they deserve their own category of threat model.
Designing and running a security champions program specifically for supply chain risks, including recruitment, training, cadences, and measurable impact.
Go's toolchain makes reproducible builds unusually tractable. Here is how to reach bit-for-bit builds across machines in 2023, and where the rough edges remain.
Flask gives you room to make mistakes. This is a long look at the patterns that keep Flask apps safe in 2023, covering sessions, extensions, Werkzeug, and Jinja.
Weekly insights on software supply chain security, delivered to your inbox.