Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A multi-year social engineering campaign planted a backdoor in XZ Utils that would have compromised SSH on most Linux distributions. Technical deep dive into what happened.
A single person maintaining critical infrastructure is one medical emergency, burnout, or coercion event away from a supply chain crisis. The bus factor is not a theoretical metric.
Star counts and download numbers tell you popularity, not health. The metrics that predict dependency risk are harder to measure and more important to track.
How you communicate security changes in your changelog affects both your users' safety and your project's trustworthiness. Here is how to get it right.
OSV provides a standardized format for vulnerability data that is purpose-built for open-source ecosystems. Here is how it works and why it is better than NVD for dependency scanning.
How OSINT techniques can uncover supply chain threats hiding in plain sight—from compromised packages to suspicious maintainer activity.
Supply chain attacks on open source come in distinct flavors. Understanding the taxonomy helps defenders prioritize controls and recognize threats before they reach production.
Software Heritage archives the world's source code. Here is why that matters for supply chain security, reproducibility, and long-term software integrity.
Forking an open source project means inheriting its security obligations. Here is what organizations need to know before and after forking a dependency.
Weekly insights on software supply chain security, delivered to your inbox.