sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
974 articles
What is FedRAMP
FedRAMP governs how federal agencies vet cloud software. Here's what it requires, what it costs, how long it takes, and what FedRAMP 20x changes.
SBOM Quality Across Ecosystems: 2026 Report
The Safeguard Research team measured SBOM quality across ecosystems and generators. The gaps between formats, tools, and languages are larger than most teams assume.
What is the NIST Secure Software Development Framework (SSDF)
NIST SSDF (SP 800-218) explained: its four practice groups, the EO 14028 origin, federal attestation deadlines, and how it differs from SLSA and SP 800-53.
What is Executive Order 14028
EO 14028 forced federal software vendors to prove what's in their code. Here's what it requires, who it binds, and what's changed since 2021.
What is the EU Cyber Resilience Act
The EU Cyber Resilience Act sets binding cybersecurity rules for digital products, with reporting due by Sept 2026 and full compliance by Dec 2027.
SBOMs for Firmware and IoT Devices: The Hard Problem
Generating accurate SBOMs for firmware and IoT devices remains one of the toughest challenges in supply chain security. Here's the current state of the art.
DORA for Financial Services Software Supply Chain
How EU DORA is reshaping software supply chain expectations for financial services in 2026, with practical guidance on ICT third-party risk, SBOMs, and incident reporting.
What is Compliance Automation
Compliance automation replaces manual audit evidence with continuous, API-driven monitoring — here's how it works, which frameworks it covers, and why supply chain evidence changes the equation.
JavaScript Security Explained
JavaScript security means managing three attack surfaces: runtime bugs, browser XSS, and npm supply chain compromise — the last of which caused 2025's biggest incidents.
Node.js Security Best Practices
Node.js supply chain attacks like event-stream, ua-parser-js, and Shai-Hulud show why dependency depth is the real risk -- here's what actually reduces it.
Python Security Explained
How Python's install-time code execution and open PyPI namespace fuel real supply chain attacks — and what actually reduces the risk.
C# and .NET Security Explained
C# and .NET security explained: real CVEs, NuGet supply-chain attacks, BinaryFormatter risk, and the SolarWinds lesson every .NET team needs.