Open Source Security
NuGet Package Signing: Enterprise Rollout
Rolling NuGet package signing enforcement across a large .NET estate is a policy and tooling problem, not a cryptography problem. Here is how it actually goes.
Feb 25, 20246 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Rolling NuGet package signing enforcement across a large .NET estate is a policy and tooling problem, not a cryptography problem. Here is how it actually goes.
Poetry's lockfile is an asset. Its dependency resolver is a tradeoff. Here is how to run Poetry safely in a world of typosquats, dependency confusion, and unmaintained installers.
PDFs are trusted by default in most organizations. That trust makes them a potent vector for supply chain attacks. Here is how the attacks work.
In February 2024, a ransomware attack on Change Healthcare paralyzed the U.S. healthcare payment system for weeks and ultimately exposed the personal health data of over 100 million Americans, making it the largest healthcare data breach ever recorded.
The BlackCat/ALPHV ransomware attack on Change Healthcare caused the largest healthcare IT disruption in U.S. history, affecting pharmacies, hospitals, and insurance claims processing nationwide.
A coordinated international operation seized LockBit's infrastructure, arrested affiliates, and obtained decryption keys. But did it actually stop the world's most prolific ransomware gang?
Dependency confusion exploits the gap between public and private package registries. Despite widespread awareness, organizations keep falling for it.
Traditional security training is boring and ineffective. Here is how to build a training program developers actually engage with and learn from.
When your application is 50 services with 50 dependency trees, SBOM management stops being simple. Here's how to handle it.
Weekly insights on software supply chain security, delivered to your inbox.