Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
PCI DSS v4.0.1 doesn't say the word SBOM, but its software inventory and vulnerability management requirements make one effectively mandatory. Here's how to build an SBOM program that passes a QSA review.
A practical catalog of indicators of compromise for software supply chain attacks, with detection queries and false-positive notes.
Ivanti's Cloud Services Appliance faced chained zero-day exploitation in September 2024, with attackers combining path traversal and command injection for unauthenticated RCE.
The FDA's cybersecurity guidance has quietly turned into one of the most consequential supply chain regulations in US software. A walkthrough for engineering teams shipping connected medical products.
Cargo feature flags look like a compilation convenience but they are a load-bearing piece of your supply chain posture. Here is why.
CVE-2024-6678 allowed attackers to trigger GitLab CI/CD pipelines as arbitrary users, potentially accessing secrets and deploying malicious code through impersonated pipeline runs.
A production-focused look at FluxCD's security model, covering multi-tenancy isolation, source verification, image automation risks, and the CVE history behind the current defaults.
Jenkins is still the most common Maven build driver in enterprise Java shops. It is also where most supply chain incidents start. Here is what to change before it becomes your problem.
Microsoft disabled macros by default in 2022. Attackers adapted. The macro threat has evolved, not disappeared.
Weekly insights on software supply chain security, delivered to your inbox.