Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Abandoned open source projects do not disappear. They continue to be installed, depended upon, and deployed in production. They just stop getting security patches.
Produce accurate CycloneDX SBOMs from Maven builds using the official plugin, handle multi-module reactors, and ship attested SBOMs alongside your JARs.
Game day exercises simulate supply chain attacks and failures, testing your team's response procedures before a real incident hits. Here is how to plan and run effective supply chain game days.
Server-Side Template Injection turns template engines into code execution engines. This guide covers SSTI in Jinja2, Twig, Freemarker, and other engines, with detection techniques and layered defenses.
OSV provides a standardized format for vulnerability data that is purpose-built for open-source ecosystems. Here is how it works and why it is better than NVD for dependency scanning.
Pharma companies must validate software used in drug manufacturing and clinical trials. Software supply chain security is now part of that equation.
npm's updated unpublish policy addresses the left-pad problem while balancing maintainer rights, but the supply chain implications go deeper than most realize.
detekt is Kotlin's primary static analysis tool. Its security-relevant rules catch patterns that lead to vulnerabilities in Android and server-side Kotlin.
Google expanded its OSS vulnerability rewards program in 2023, paying researchers to find bugs in critical open source projects. It's a promising model, but not a silver bullet.
Weekly insights on software supply chain security, delivered to your inbox.