Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Publishing a package to a public registry makes your code part of thousands of supply chains. This checklist covers the security controls that responsible maintainers implement before and during publication.
Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.
Africa is leapfrogging traditional IT infrastructure with mobile-first, cloud-native solutions. But the cybersecurity foundations are lagging dangerously behind the pace of adoption.
Terraform providers are plugins that execute with full access to your infrastructure credentials. Verifying their integrity is not optional.
The wrong naming convention for internal packages makes dependency confusion attacks trivial. Here is how to name packages so attackers cannot substitute them.
Game day exercises simulate supply chain attacks and failures, testing your team's response procedures before a real incident hits. Here is how to plan and run effective supply chain game days.
Repositories containing multiple programming languages multiply the security tooling, configuration, and expertise required. These challenges are manageable with the right approach.
Risk scoring turns complex supply chain data into actionable numbers. But the algorithms behind these scores have assumptions and blind spots that security teams must understand.
Clop's exploitation of MOVEit Transfer compromised over 2,500 organizations in one campaign, demonstrating a shift from traditional ransomware to mass vulnerability exploitation.
Weekly insights on software supply chain security, delivered to your inbox.