Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
AI code assistants recommend packages that do not exist, and attackers are registering those hallucinated names. This new typosquatting vector exploits the trust developers place in AI suggestions.
Native C extensions are the most under-audited part of the Ruby supply chain: how they get built, what can go wrong, and how to monitor them as seriously as you monitor pure-Ruby code.
Witness turns build steps into a chain of signed attestations. Here is how we use it in production pipelines, what it does well, and where the edges still cut.
An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, and how maintainers can prepare for signed gems.
Vulnerability intelligence platforms aggregate, enrich, and prioritize vulnerability data. This comparison examines how leading platforms handle supply chain-specific intelligence needs.
A practical catalog of indicators of compromise for software supply chain attacks, with detection queries and false-positive notes.
Jenkins is still the most common Maven build driver in enterprise Java shops. It is also where most supply chain incidents start. Here is what to change before it becomes your problem.
Cross-platform frameworks multiply supply chain attack surfaces by combining multiple dependency ecosystems. Understanding these compounded risks is essential for modern mobile and desktop security.
A running ledger of typosquat incidents on RubyGems.org through 2024, the patterns across them, and what the year's data says about where the registry's defenses still fall short.
Weekly insights on software supply chain security, delivered to your inbox.