sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Shifting security left: what it really means for teams
Shift left security means catching vulnerabilities at commit time, not audit time. Here's what that requires in practice, with real CVEs and numbers.
Open Source License Compliance: Automating License Risk R...
Manual license audits miss GPL contamination and copyleft traps. Here's how automated license risk reports work, and how Safeguard stacks up against Endor Labs.
RabbitMQ management plugin CVEs: brokers deserve database-grade SBOM scrutiny
Authentication and plugin-loading risks in RabbitMQ's management plugin show why message brokers, which hold credentials and pass payloads, should be inventoried with the same rigor as databases.
PCI DSS Requirements for Application Security Testing
PCI DSS 4.0's March 2025 deadline made SBOMs and 30-day patch SLAs mandatory. Here's what Requirements 6.3.2, 6.4.2, and 11.3 actually demand, and where Endor Labs leaves compliance gaps.
npm audit isn't enough: what it misses
npm audit catches known CVEs and stops there. It misses malicious packages, install scripts, and typosquats -- the threats actually landing in npm today.
SOC 2 compliance guide for engineering teams
SOC 2 audits fail on missing evidence, not bad intentions. Here's what engineering teams must actually build, track, and prove — with real timelines and costs.
ISO 27001 compliance for software development teams
ISO/IEC 27001:2022 audits now check 8 SDLC controls directly — SBOMs, vulnerability SLAs, and CI/CD evidence dev teams commonly get flagged on.
CI/CD pipeline dependency security integration coverage
How does Safeguard's pipeline-native dependency security compare to Socket.dev's PR-comment model? A concrete look at coverage, enforcement, and deployment options.
Cheat sheet: meeting security compliance standards
A concrete, numbers-first cheat sheet for SOC 2, ISO 27001, PCI DSS 4.0, and SBOM mandates — deadlines, timelines, and audit gaps that actually matter.
BMC firmware and the supply chain you forgot you had
Baseboard management controllers run their own operating system below your hypervisor, ship as binary blobs from vendors like AMI and Insyde, and almost never appear in an SBOM. The MegaRAC incidents made that gap impossible to ignore.
GDPR compliance considerations for application security teams
GDPR's Article 32 doesn't name SAST or SBOM, but fines like Meta's €1.2B and BA's £20m trace straight back to AppSec gaps.
HIPAA compliance in software development
HIPAA compliance in software development means encryption, access logging, and vulnerability management baked into the SDLC — not paperwork. Here's what engineers must build.