Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A sustained campaign flooded PyPI with hundreds of malicious packages using typosquatting and dependency confusion to steal credentials and cryptocurrency from developers.
Pipenv is still in production at many companies. Here is an honest look at its security model, its maintenance status, and when it is time to migrate away.
Should governments ban ransomware payments? The debate intensified through 2023 as attacks escalated, with strong arguments on both sides and no clear consensus.
Publishing a package to a public registry makes your code part of thousands of supply chains. This checklist covers the security controls that responsible maintainers implement before and during publication.
How you communicate security changes in your changelog affects both your users' safety and your project's trustworthiness. Here is how to get it right.
Securing Bitbucket Pipelines with secure variables, deployment permissions, and pipeline hardening.
Build-time SBOMs capture what goes into your software; runtime SBOMs capture what actually runs. Understanding the difference is critical for accurate vulnerability management.
How to communicate during and after a security incident without making things worse. Templates, timelines, and principles for crisis communication.
A review of Socket.dev's approach to supply chain security, focusing on behavior analysis of npm packages, install script detection, and typosquatting prevention.
Weekly insights on software supply chain security, delivered to your inbox.