sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Public sector / government application security requirements
EO 14028, CISA's attestation form, and FedRAMP have made government application security compliance its own discipline. Here's what's required and where legacy SCA tools like Black Duck fall short.
Embedded software and ISV security programs
Black Duck built its business on binary composition analysis for embedded software. Here's what that approach misses in 2026, and what a modern ISV security program needs instead.
Introducing Agentic Development Security (ADS)
As AI agents now author up to half of production commits, Safeguard introduces Agentic Development Security (ADS) — a new framework for securing autonomous coding.
What is an Open Source Audit?
What is an open source audit, how does it compare to Black Duck's point-in-time scans, and why continuous monitoring closes the gap audits leave open.
What are Open Source Licenses?
Open source licenses govern how 96% of modern codebases can legally be used. Here's how license compliance works, where Black Duck's approach falls short, and how to close the gaps.
Securing RAG pipelines against injection attacks
RAG pipelines feed untrusted retrieved content straight into model context. Real breaches like EchoLeak show what happens when nothing checks it.
How to evaluate software supply chain security vendors us...
A practical framework for evaluating software supply chain security vendors on verifiable dimensions—SBOM support, provenance, deployment model—rather than analyst labels alone.
Protestware via prompt injection: the jqwik 1.10.0 case
jqwik 1.10.0 hid a prompt injection telling AI coding agents to delete tests. Here's how it worked, why it's protestware, and how to catch it.
Governments banning AI models: security implications for teams
Governments banned DeepSeek and other AI models in 2025 within days. Here's the security supply-chain risk teams face and how to find and fix it fast.
Building trust in AI-assisted software development
AI writes 30-50% of new code at many shops now, and 45% of it ships with security flaws. Here's how to build real trust in that pipeline.
Cursor's AI security agents: what they get right and what's missing
Cursor's Bugbot and MCP agents catch real bugs, but CurXecute and MCPoison show they open new attack surfaces SCA tools never had to face.
Software Dependency Cooldown Policies
A dependency cooldown policy delays new package versions for a set window so the ecosystem can catch malicious releases before they reach your build pipeline.