sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
974 articles
SBOM as a Product, Not a Checkbox
Most SBOMs are generated, filed, and forgotten. Treating them as compliance artifacts rather than operational products is why they have not paid off — and how to fix it.
What is Risk-Based Vulnerability Prioritization
CVSS alone can't sort 40,000 CVEs a year. Learn how reachability, EPSS, and KEV data cut real risk from noise.
What is Noise Reduction in AppSec Tooling
Most AppSec scans return thousands of findings, but under 5% are ever reachable in production. Here's how noise reduction actually works.
FAQ: CycloneDX vs SPDX — Which to Use?
Practical answers to the most common CycloneDX vs SPDX questions: differences, tooling, regulatory preference, VEX support, and when to emit both.
SBOM Ingestion at Scale: An Architecture Guide
A pragmatic architecture for ingesting, normalizing, and querying hundreds of thousands of SBOMs across an enterprise or agency, without drowning in noise.
SEC Cyber Incident Disclosure Rule: Year Two
Two years into Item 1.05 of Form 8-K, the SEC has clarified materiality, enforcement posture, and how Regulation S-K Item 106 cybersecurity narratives will be judged.
What is Binary Composition Analysis
Binary composition analysis identifies open source components inside compiled artifacts—no source code needed. Here's how it works and why it matters.
Go module proxy security: how GOPROXY and sum.golang.org ...
How GOPROXY and sum.golang.org protect Go builds with caching and checksum verification, and where trust-on-first-use gaps let malicious modules slip through.
What is License Scanning
License scanning finds every open source license in your dependency tree before it becomes a legal or compliance problem — here's how it works and why it changed in 2024.
What is a Private Package Registry
A private package registry controls who can publish and pull internal and third-party code — but only if it's configured to block, not just cache, public fallback resolution.
What is Artifact Repository Security
Artifact repositories are prime attack targets — one poisoned package reaches every downstream consumer. Here's what actually secures them.
What is Reproducible Builds
Reproducible builds let anyone recompile source code and cryptographically verify the binary matches — closing the gap attackers exploit when they compromise build systems, not source code.