sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
974 articles
EU CRA SBOM requirements overview and compliance tips
The EU Cyber Resilience Act makes SBOMs mandatory for connected products by December 2027. Here is what CRA compliance actually requires, and how to prepare.
SBOM Quality: Fields Auditors Actually Check
Auditors do not score SBOMs on file count. They check a small set of fields that prove the artefact is real, current, and tied to a verifiable build. Here are the ones that matter.
NIST 800-53 security and privacy controls overview
A breakdown of NIST 800-53 Rev 5's control families, SBOM and supply-chain requirements, and why scanning tools like Anchore cover only a narrow slice of what compliance demands.
Software Supply Chain Security News: How to Actually Track It
Software supply chain security news moves across a dozen disconnected sources — registries, CVE feeds, vendor blogs — here's a repeatable system for not missing the one that hits you.
NIST 800-190 container security guide compliance
NIST 800-190 requires evidence across five container risk categories, not just image scans. Where Anchore-based pipelines fall short and how to close the gap.
DoD software factory reference design and secure software...
What a real DoD software factory requires under the DevSecOps Reference Design, where Anchore's scanning fits and falls short, and how continuous SBOM evidence enables cATO.
SBOM Drift Detection Playbook for 2026
A practical playbook for detecting and responding to SBOM drift between source, build, and runtime, with the patterns that separate signal from noise.
CycloneDX 1.7 Migration Guide From 1.5
A practical migration path from CycloneDX 1.5 to 1.7 covering schema changes, machine learning BOM additions, formulation, and the tooling adjustments required.
FDA Premarket Cybersecurity for Medical Devices 2026
A senior engineer's guide to FDA premarket cybersecurity for medical devices in 2026: section 524B, SBOM expectations, SPDF, and what reviewers actually ask about.
Report on Compliance (ROC) vs Self-Assessment Questionnai...
PCI DSS ROC vs SAQ explained, and why v4.0.1's software inventory and anti-skimming rules demand supply chain evidence GRC tools like Vanta weren't built to generate.
Introducing Safeguard TPRM: Evidence-Based Third-Party Risk Management
Safeguard's new TPRM module replaces vendor questionnaires with SBOM-driven, continuous third-party risk assessment.
Use of Components with Known Vulnerabilities
Equifax lost 147M records to one unpatched library. Here's what "components with known vulnerabilities" means and how reachability analysis fixes the triage problem.