compliance
Safeguard articles tagged "compliance" — guides, analysis, and best practices for software supply chain and application security.
435 articles
How to Choose an Open Source License
Choosing a license for your project comes down to how much control you want over downstream use. This guide walks through the decision — permissive, weak copyleft, or strong copyleft.
SBOM Compliance Requirements FAQ: NTIA Elements, Formats, and Mandates
A precise FAQ on SBOM compliance in 2026 — the NTIA minimum elements, accepted formats, where SBOMs are actually mandated (federal, FDA, EU CRA), depth, VEX, and generation.
What AI Executive Orders Actually Mean for Enterprise Security Teams
The US revoked its AI safety EO in January 2025, but SBOM and evidence obligations under EO 14028 never went away — and the EU AI Act just got harder deadlines.
Mapping security training and roles to the NIST NICE Framework
NIST's NICE Framework sorts cybersecurity work into 7 categories and 52 work roles — most security teams have never mapped a single job description to it.
DORA compliance for application risk management
DORA became fully applicable on 17 January 2025 with no grace period, and its ICT risk-management articles map almost line-for-line onto standard AppSec practice.
The four pillars every enterprise security program needs
Identity, patching, segmentation, and logging aren't a checklist — they're the four controls that determine whether a breach stays contained or becomes Log4Shell.
Japan METI's SBOM Guidance: What Software Vendors Need to Know
METI's SBOM guidance has no legal teeth, yet Ver. 2.0 already shapes procurement at Japan's largest manufacturers and critical-infrastructure buyers.
Mapping NIST CSF 2.0 to your AppSec program
NIST CSF 2.0 added a sixth function, Govern, in February 2024 — most AppSec teams still map their tooling to only three of the six.
The SEC's cybersecurity disclosure rules, explained for CISOs and boards
Since December 18, 2023, U.S. public companies must disclose material cyber incidents within four business days — and boards must now document their oversight of the risk.
ISO 27001 application security: the Annex A controls that govern your code
ISO/IEC 27001:2022 added and sharpened Annex A controls for secure development and technical vulnerabilities. Here's how they apply to application and supply chain security.
NIST SSDF FAQ: SP 800-218, the Four Practice Groups, and Attestation
A precise FAQ on the NIST Secure Software Development Framework in 2026 — the four practice groups, the CISA self-attestation form, EO 14028 lineage, the AI augmentation, and the evidence behind it.
Open Source License Comparison: MIT, Apache, BSD, GPL, and More
A side-by-side comparison of the major open-source licenses — MIT, BSD, Apache 2.0, MPL, LGPL, GPL, and AGPL — across permissions, conditions, copyleft strength, and patent handling.