Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
The Open Source Security Foundation introduces SIREN, a dedicated mailing list for sharing real-time threat intelligence about attacks targeting open source ecosystems.
Play ransomware refined the MSP attack model, exploiting FortiOS and RDP vulnerabilities to cascade through managed service providers into hundreds of downstream organizations.
Track remediation SLAs across projects with a self-service dashboard that surfaces aging findings, breach risk, and team accountability — complete code inside.
Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and real caveats.
Design a Loki-based log pipeline for CI/CD observability and supply chain forensics. Labels, retention, LogQL patterns, and cost discipline from the field.
PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time, and deal with the rough edges.
A compromised signing key is the quietest crisis in security. A concrete playbook for responding when your code signing infrastructure is implicated.
Post-quantum cryptography migration requires knowing what cryptographic algorithms your software uses. CBOMs provide that inventory. Here is what they are and why they matter.
A practical hardening guide for Concourse CI: resource type trust, worker isolation, team-level RBAC, and the var source security that underpins the platform's multi-tenancy model.
Weekly insights on software supply chain security, delivered to your inbox.