sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Reconstructing the tj-actions/changed-files compromise
CVE-2025-30066 hit CISA's KEV list within 3 days: 23,000+ repos ran a poisoned GitHub Action that dumped CI secrets straight into public build logs.
Verifying open source package provenance with SLSA and Sigstore
A maintainer account takeover hid a backdoor in xz-utils for years. SLSA provenance and Sigstore signing are how you catch the next one before it ships.
The 2026 SBOM compliance guide: where a software bill of materials is now required
SBOM requirements have spread from a single US executive order to regulations across sectors and continents. Here's a framework-by-framework map of where you need one in 2026.
The Best Software Supply Chain Security Platforms in 2026
Supply-chain security has grown from SCA into a platform category spanning SBOMs, build integrity, and malicious-package defense. This balanced guide compares Snyk, Sonatype, Chainguard, Endor Labs, Socket, and Safeguard.
Cloud-Native Supply Chain Security: From Source to Runtime
A stage-by-stage guide to securing the cloud-native software supply chain — source, dependencies, build, artifacts, and deploy — using SBOMs, SLSA provenance, signing, and admission policy.
SBOM Compliance Requirements FAQ: NTIA Elements, Formats, and Mandates
A precise FAQ on SBOM compliance in 2026 — the NTIA minimum elements, accepted formats, where SBOMs are actually mandated (federal, FDA, EU CRA), depth, VEX, and generation.
The supply-chain and IP risk hiding inside AI coding assistants
GitHub has disclosed that Copilot suggestions match training-set code verbatim about 1% of the time — and a class action over it is still being argued in 2026.
What AI Executive Orders Actually Mean for Enterprise Security Teams
The US revoked its AI safety EO in January 2025, but SBOM and evidence obligations under EO 14028 never went away — and the EU AI Act just got harder deadlines.
What to Evaluate in an ASPM Solution: A 2026 Buyer's Guide
Gartner named Application Security Posture Management a category in May 2023 — three years later, most RFPs still can't distinguish a real ASPM from a dashboard bolted onto old scanners.
Why asset inventory should come before AppSec tooling
Only 17% of organizations can inventory 95%+ of their assets, and 69% have been breached through one they didn't know existed — start with the map, not the scanner.
How to publish a secure Python package: signing, SBOMs, and trusted publishing
PyPI enforced two-factor authentication for all users on January 1, 2024 — but 2FA alone doesn't stop a stolen API token. Here's the full secure-publishing stack.
The code-to-cloud AppSec checklist: unifying code, dependency, container, and config security
Log4Shell and the XZ Utils backdoor both proved the same thing: a flaw in one layer is only as contained as your weakest disconnected tool.