sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
974 articles
Software Composition Analysis (SCA)
SCA finds every open source package in your code and flags known CVEs against it. Here's how it works, its blind spots, and how to fix them.
CycloneDX vs SPDX: SBOM Format Comparison 2026
A practical CycloneDX vs SPDX comparison for 2026 buyers: schema depth, tool support, regulatory alignment, and which format to pick for which use case.
SCA vs SBOM: What's the Difference
SCA and SBOM aren't the same thing: one is a scanning process, the other is a compliance artifact. Here's how they differ and why you need both.
SSDF (Secure Software Development Framework)
NIST SP 800-218 turned SSDF into a federal procurement gate. Here is what it requires, why attestation is mandatory, and where CNAPP tools like Aqua fall short.
Software Supply Chain Attacks
Software supply chain attacks like SolarWinds, XZ Utils, and polyfill.io exploit trust, not code. Here's how they work and how Safeguard closes the provenance gap.
How to Read a CycloneDX SBOM: A Line-by-Line Walkthrough
A walkthrough of a CycloneDX 1.6 JSON document — metadata, components, services, dependencies, and vulnerabilities — with a real snippet and what to check first.
Dependency Confusion Attack
How dependency confusion attacks exploit registry name collisions to run attacker code inside corporate networks, from Alex Birsan's 2021 research to the 2022 PyTorch breach.
What is Vulnerability Scanning
Vulnerability scanning automatically checks code, dependencies, and infra against known-flaw databases like the NVD. Here's how it works and why reachability matters.
What is Vulnerability Management
Vulnerability management turns thousands of CVEs into a ranked, fixable backlog. Here's how the lifecycle, prioritization, and standards actually work.
You Cannot Secure What You Cannot See: Asset Discovery
Most breaches start with an asset nobody remembered owning. Continuous asset discovery is the foundation that every other control depends on.
What is Application Security Posture Management (ASPM)
ASPM correlates SCA, SAST, DAST, and cloud findings with reachability context to cut alert noise 60-90% and speed remediation.
Application Risk Management: Methods and Tools
A practical breakdown of application risk management: the methods (reachability, RBVM), the tool categories (SCA, SAST, DAST, CSPM), and how to fix the backlog problem.