sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
974 articles
Building A Defensible SBOM Program In 90 Days
A pragmatic 90-day blueprint for standing up an SBOM program that survives auditor scrutiny, procurement reviews, and incident response without burning out your platform team.
Asset-First Application Security
Vulnerability-first scanning drowns teams in noise. Asset-first application security starts with a complete inventory, then layers reachability and context to cut backlogs by 90%.
How to Measure Application Security Success: Metrics & KPIs
Learn which AppSec metrics actually predict risk reduction — MTTR, vulnerability density, reachability, and false positive rate — with 2024-2025 benchmarks.
Mobile Application Security: Risks & Tools
BLASTPASS, XcodeGhost, and a 2024 OWASP supply-chain category show mobile app security is its own attack surface — here's what to fix first, and with what tools.
Top 10 Application Security Acronyms (Glossary)
SAST, DAST, SBOM, CVSS, CWE, SSDF — 10 AppSec acronyms defined with real CVEs, dates, and standards so you use them correctly, not interchangeably.
What is Attack Surface Management
Attack surface management explained: what it covers, how it differs from vulnerability management, and why CISA and Gartner now treat it as core AppSec.
cdxgen v12: Reachability Evidence Lands in SBOMs
OWASP's cdxgen v12 ships reachability evidence powered by atom, multi-BOM generation (SBOM, CBOM, SaaSBOM, OBOM, CDXA), and CycloneDX 1.7 as the default. We tested it on a Java monorepo.
Defense Software Supply Chain Under the 2026 Federal Rules
CMMC 2.0, the FAR SBOM rule, and DoD Instruction 8500.01 have reshaped what software contractors must deliver. Here is the 2026 operational baseline for defense industrial base suppliers.
What is an Attack Surface
An attack surface is every exposed point attackers can use to get in — code, configs, credentials, and dependencies. Here's how to define, measure, and shrink it.
What is a CVE (Common Vulnerabilities and Exposures)
A CVE is a unique ID for a known security flaw, but how it's assigned, scored, and disclosed is far messier than the name suggests.
ESSCM Buyer Guide 2026
An enterprise buyer's guide to End-to-End Software Supply Chain Management platforms in 2026, with the questions that separate marketing from working products.
Discovering Shadow AI Models In Production
Engineers ship models faster than security can track them. Here is how to find shadow AI in production without slowing the teams that build it.