sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
974 articles
PHP Security Explained
PHP still runs ~74% of the web. From the 2024 PHP-CGI RCE to WordPress plugin flaws, here's what actually breaks PHP apps in production.
Go (Golang) Security Explained
Go's memory safety stops buffer overflows, not logic bugs, typosquatted modules, or CI-pipeline compromise. Here's what actually threatens Go security.
FAQ: When Do You Need a Dedicated SBOM Tool?
When a scanner's built-in SBOM export stops being enough — signals you need a dedicated SBOM tool, what one actually does, and how to evaluate.
Federal Software Procurement and SBOM Requirements: A Vendor's Playbook
If you sell software to the US government, SBOM requirements are now non-negotiable. Here's a practical playbook for compliance.
Rust Security Explained
Rust kills most memory-safety bugs, but crates.io supply chain attacks and CVE-2024-24576 prove "written in Rust" isn't a security guarantee.
Multi-Arch Image Builds and Attestation Pitfalls
Why multi-architecture container images break assumptions baked into signing, SBOM, and attestation tooling, and how to build a multi-arch pipeline that stays verifiable.
C/C++ Security Explained
C/C++ still cause ~70% of critical CVEs. From Heartbleed to the xz backdoor, here's why memory bugs persist and how to find exploitable ones fast.
Model Inventory Tracking: Griffin AI vs Mythos
You cannot secure what you cannot enumerate. Griffin AI maintains a typed inventory of every model, version, and deployment across a tenant. Mythos-class tools approximate the inventory in prose.
Snyk vs Black Duck Comparison
Snyk and Black Duck take different paths to open source risk—developer-first scanning vs. compliance-grade component identification. Here's how they compare, and where reachability closes the gap.
How to set up SBOM generation in a CI pipeline
Learn how to build an SBOM generation CI pipeline with Syft and GitHub Actions, covering scanning, signing, storage, and verification for supply chain visibility.
SCA Security Tools: A Practical Shortlist
A working shortlist of SCA security tools, what actually differentiates them beyond CVE counts, and how to pick an sca solution that fits your ecosystem.
What is TLS/SSL
TLS/SSL encrypts data in transit, but outdated versions and unpatched libraries like Heartbleed-era OpenSSL still expose real risk today.