Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
The Linux Foundation, Apache Software Foundation, CNCF, and Eclipse each codify different theories of how open source projects should be governed. The differences matter more than most adopters realize.
Witness turns build steps into a chain of signed attestations. Here is how we use it in production pipelines, what it does well, and where the edges still cut.
The RaaS ecosystem proved resilient through 2024 despite major law enforcement takedowns, with new groups filling every gap and affiliate models becoming more sophisticated.
Fastify hit version 5.0 in September 2024 with a slimmer core, a plugin model that encourages correctness, and a security track record that genuinely distinguishes it from the Express crowd. Here is what I have learned auditing Fastify apps this year.
ValidatingAdmissionPolicy GA, VolumeSource for OCI artifacts, and anonymous API cleanup: what 1.30 and 1.31 change for cluster security posture.
An honest look at where RubyGems.org stands with Sigstore integration, what has shipped, what is still being debated, and how maintainers can prepare for signed gems.
Cutting through the CWPP marketing noise to identify the capabilities that genuinely protect cloud workloads from modern threats.
Qilin ransomware operators pioneered a mass credential theft technique using Group Policy to extract saved Chrome browser credentials across entire domains.
Dagger programmatic pipelines offer genuine supply chain benefits when used well. Here are the patterns and pitfalls from running Dagger in production.
Weekly insights on software supply chain security, delivered to your inbox.