DevSecOps
Pants Build Tool Security Posture
A practitioner's view of the Pants build system's security properties, covering sandboxing, third-party resolution, and the Pants 2.x architecture.
May 18, 20247 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A practitioner's view of the Pants build system's security properties, covering sandboxing, third-party resolution, and the Pants 2.x architecture.
Python's flat namespace creates real security problems. Here is how namespace packages, shadowing, and install order interact, and how to avoid the surprises.
Writing Rust for embedded or kernel targets drops you into no_std territory, and the supply chain rules are different there. A practical look at what changes and why.
Kotlin Multiplatform ships one codebase to JVM, iOS, Android, JS, and native targets. The supply chain surface expands in specific ways worth tracking.
CodeBuild projects are where most AWS supply chain compromises end up executing. Here is a practical hardening guide built from years of incident response, with specific buildspec controls and IAM patterns.
A practical TPRM program for software vendors covering intake, tiering, annual review, SBOM ingestion, and continuous monitoring with staffing ratios and budgets.
As open source AI models proliferate, their security implications extend far beyond traditional software vulnerabilities. Model poisoning, supply chain tampering, and unsafe deserialization create new attack surfaces.
Writing YARA-L detection rules and UDM queries in Google Chronicle (now Security Operations) to catch software supply chain threats at scale.
Twilio disclosed two social engineering incidents in 2022 that cascaded through its customer base; the supply chain lessons remain relevant for any B2B vendor.
Weekly insights on software supply chain security, delivered to your inbox.