Best Practices
Evaluating Vendor Attestations: SOC 2 / FedRAMP
A SOC 2 report does not mean the vendor is secure. Here is how to read attestations carefully, what FedRAMP actually proves, and how to ingest both at scale.
Mar 20, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A SOC 2 report does not mean the vendor is secure. Here is how to read attestations carefully, what FedRAMP actually proves, and how to ingest both at scale.
SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.
ISO 27001:2022 added explicit supply chain controls in Annex A. Learn how to build a program that satisfies A.5.19 through A.5.23 with continuous evidence.
Runtime drift is the last honest witness in container supply chain defence. This post covers what drift signals tell you, how to instrument for them, and how to investigate without overwhelming on-call.
An SBOM without VEX is a noise machine. Here is how disciplined VEX authoring cuts vulnerability backlogs by 70-90% while improving defensibility, not weakening it.
A 2026 hardening checklist for GitLab CI: ID tokens, protected branches, runner isolation, included templates, and the controls that actually shrink blast radius.
A practical security baseline for devcontainer.json files in 2026, covering base image selection, features, lifecycle scripts, and the supply chain controls that actually matter.
Researchers keep finding valid AWS, GitHub, and cloud credentials baked into public Docker Hub images. What the 2024 data shows and how to stop shipping secrets.
Container image supply chain incidents have grown in frequency and impact. We analyze the 2026 patterns, the registry tradecraft, and what defenders should change.
Weekly insights on software supply chain security, delivered to your inbox.