Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

Open Source Security

What the curl CVE disclosures teach about patching embedded C libraries

curl.se lists 206 published CVEs across two decades — two 2023 disclosures show why transitive C-library patching needs its own discipline.

Jul 8, 20267 min read
Container Security

Docker best practices for Node.js developers in 2026

Multi-stage builds can cut a Node.js image from 1GB+ down to under 150MB — but most teams still ship dev dependencies, root shells, and unscanned base layers to production.

Jul 8, 20267 min read
Supply Chain Security

Enriching SBOMs with Vulnerability and License Metadata

A base SBOM only lists what's in your build — OSV.dev, EPSS, and OpenSSF Scorecard turn that inventory into a prioritized risk decision.

Jul 8, 20267 min read
Supply Chain Security

Generating a CycloneDX/SPDX SBOM for a Node.js Application

npm has shipped a native `npm sbom` command since v9 — but a real supply chain program needs more than the CLI default. Here's how to do it right.

Jul 8, 20266 min read
Application Security

Designing an application security program from first principles

Two backdoors nine years apart — event-stream in 2018, XZ Utils in 2024 — show why code-only AppSec programs fail. Here's a four-layer framework built from scratch.

Jul 8, 20267 min read
Compliance & Frameworks

Japan METI's SBOM Guidance: What Software Vendors Need to Know

METI's SBOM guidance has no legal teeth, yet Ver. 2.0 already shapes procurement at Japan's largest manufacturers and critical-infrastructure buyers.

Jul 8, 20267 min read
AI Security

Mapping the blast radius of a vulnerable AI infrastructure dependency

One Ray dashboard flaw let attackers hit hundreds of exposed AI servers. SBOM plus call-graph data is how you find every service that shares the exposure.

Jul 8, 20266 min read
Compliance & Frameworks

Mapping NIST CSF 2.0 to your AppSec program

NIST CSF 2.0 added a sixth function, Govern, in February 2024 — most AppSec teams still map their tooling to only three of the six.

Jul 8, 20266 min read
Open Source Security

The node-ipc protestware incident, four years later: a checklist for maintainer-inserted risk

In March 2022 a legitimate node-ipc maintainer shipped code that wiped files based on IP geolocation. CVE-2022-23812 still has no patch for the real problem.

Jul 8, 20266 min read
Open Source Security

Inside OpenSSF's priority stack: SBOM, Scorecard, and Sigstore

OpenSSF now runs eight technical initiative areas and four flagship projects — most teams have heard of one and adopted none. Here's what's actually worth doing first.

Jul 8, 20267 min read
Supply Chain Attacks

Anatomy of the polyfill.io CDN Compromise

In June 2024, a single acquired domain turned a free CDN trusted by over 100,000 sites into a live malware injection point — with no dependency update required.

Jul 8, 20266 min read
Supply Chain Security

SBOM adoption: generating, distributing, and consuming SBOMs to cut supply chain risk

Four years after EO 14028, most SBOMs still sit unread in a folder. Here's how to generate, ship, and actually query one before the next Log4Shell.

Jul 8, 20266 min read
sbom (Page 4) — Safeguard Blog