sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Software Supply Chain Security Solutions: A Comparison Framework
A framework for comparing software supply chain security solutions across the four capabilities that matter, SBOM generation, dependency scanning, provenance verification, and CI/CD gating.
Top 8 DevSecOps best practices
Log4Shell and the xz backdoor show why DevSecOps matters. Eight concrete practices — from reachability triage to auto-fix PRs — teams can implement now.
How to implement DevSecOps in 4 steps
A concrete, 4-step playbook for implementing DevSecOps — pipeline gating, SBOM generation, reachability-based triage, and auto-fix PRs.
DevSecOps automation: principles, frameworks, and tools
A practical breakdown of DevSecOps automation frameworks — principles, standards like NIST SSDF, and the tools that turn shift-left security into a repeatable pipeline.
The 4 best DevSecOps tools for a secure DevOps workflow
The 4 DevSecOps tool categories a secure pipeline needs — SCA, SAST, container/IaC scanning, secrets scanning — with real incidents and fixes.
Building a security-conscious CI/CD pipeline
CI/CD pipelines are now the top supply chain target. Here's how to build one with real controls—secrets, scoping, SBOMs, and provenance.
8 tips for securing your CI/CD pipeline
Real incidents like tj-actions and xz-utils show how CI/CD pipelines get compromised. Eight concrete, actionable tips to lock yours down.
Securing self-hosted GitHub Actions runners
Self-hosted GitHub Actions runners trade GitHub's ephemeral isolation for persistent infrastructure access — here's how real incidents like CVE-2025-30066 exploited that gap.
Secrets management: tools and best practices
Secrets leak because of workflow gaps, not carelessness. Here's how vaults, scanners, and rotation policies actually stop credential exposure.
Patch Transparency: Auditing Automated Fix Pull Requests
Automated fix PRs from Dependabot, Renovate, and Endor Labs move fast but are rarely auditable. Here's what a real patch transparency record needs.
Zero-Day Patch Response at Scale: Can Open Source Maintai...
Zero-day patch timelines swing from 3 hours to 10 weeks across open source projects. Here's why maintainer capacity, not tooling, is the real bottleneck.
Medical Device Cybersecurity Under FDA 524B in 2026
Three years into Section 524B, medical device manufacturers are operating under genuine premarket cybersecurity expectations. Here is what the 2026 submission and postmarket landscape actually requires.