Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Build systems create and process temporary files constantly. Race conditions in temp file handling can be exploited to inject malicious content into builds.
Azure DevOps pipelines present unique supply chain risks from marketplace extensions to service connections. A breakdown of the attack surface and how to harden it.
Your container registry is a signing oracle, a software distribution system, and a typosquat target rolled into one. Here is the hardening baseline for 2022.
LAPSUS$ broke into Microsoft, Nvidia, Samsung, and Okta using social engineering and insider recruitment rather than sophisticated malware. Their techniques exposed fundamental security gaps.
Generating SBOMs manually is unsustainable. Here's how to automate SBOM creation, validation, and distribution as part of your existing CI/CD pipeline with practical examples.
Syft is the most popular open-source SBOM generator. Here's how to use it effectively for containers, directories, archives, and CI/CD pipelines.
CVE-2022-22954 in VMware Workspace ONE Access allowed unauthenticated RCE via server-side template injection. Attackers used it to deploy cryptominers and backdoors.
Fuzz testing discovers crashes, memory corruption, and logic errors by feeding random inputs to software. Applied to supply chain components, it reveals vulnerabilities that code review and static analysis miss.
A social engineering attack on Mailchimp employees gave attackers access to internal tools, which they used to target cryptocurrency companies and their customers in a downstream phishing campaign.
Weekly insights on software supply chain security, delivered to your inbox.