Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A compromised certificate authority can undermine TLS trust for your entire software supply chain. Understanding CA risks is essential for defending package integrity and secure distribution.
Dirty Pipe allowed any local user to overwrite data in read-only files, including SUID binaries, leading to trivial root escalation. The bug was elegant, dangerous, and surprisingly recent.
The LAPSUS$ group stole 190GB of Samsung source code including biometric authentication algorithms and bootloader code. The breach exposed critical device security internals.
When Conti's internal communications leaked in early 2022, they exposed the operational playbook of a top-tier ransomware gang — including how they targeted supply chains.
When LAPSUS$ breached NVIDIA, they stole code signing certificates that were immediately weaponized to sign malware. The incident demonstrated how trust mechanisms become attack vectors.
Stolen OAuth tokens from Heroku's integration with GitHub gave attackers access to private repositories across dozens of organizations. The breach revealed systemic weaknesses in third-party OAuth integrations.
Two years after the SolarWinds SUNBURST compromise, the industry has new frameworks and new vocabulary — but has the build pipeline actually gotten harder to attack?
Event-driven systems decouple producers from consumers, but that decoupling creates security blind spots. Here is how to secure the invisible connections.
You don't need a massive security team to get supply chain security right. Here's a pragmatic, prioritized approach for startups that balances risk reduction with engineering velocity.
Weekly insights on software supply chain security, delivered to your inbox.