sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
974 articles
State of SBOM Adoption Across Industries 2026
How SBOM adoption differs across finance, healthcare, public sector, manufacturing, and tech in 2026, where the real operational usage is, and where it stalls.
AI-BOM Awareness: Griffin AI vs Mythos
AI-BOM is how you describe an AI system's supply chain — models, datasets, prompts, inference environments. Griffin AI ingests it as structured inventory. Mythos-class tools try to talk about AI while remaining blind to the AI systems they describe.
What is Third-Party Risk Management
Third-party risk management explained: what it covers, why SolarWinds and MOVEit made it board-level, and how modern TPRM differs from supply chain security.
What is Vendor Risk Management
Vendor risk management now means tracking code-level supply chain risk, not just SOC 2 reports—here's what it covers, how to tier vendors, and what regulations require it.
Black Hat USA 2025: Supply Chain Security Recap
Black Hat USA 2025 highlighted AI-generated code risks, build system attacks, and the maturation of SBOM tooling. Here is what mattered for supply chain teams.
Air-Gapped Vulnerability Management
No internet means no live CVE feeds, no SaaS scanners, and no auto-updates — but the vulnerabilities still arrive. How to run a real vulnerability management program inside a disconnected environment.
CISA Secure by Design Pledge: Signatories in 2026
CISA's Secure by Design Pledge has crossed 300 signatories. Here is what the 2026 cohort is committing to, what regulators expect in return, and how to prove it.
FDA Premarket Cybersecurity SBOM in 2026
What the FDA's 2026 premarket cybersecurity guidance actually requires for SBOMs, how reviewers evaluate them, and the patterns that cause 510(k) submissions to stall.
SBOM Review in Pull Request Workflows
An SBOM that arrives after merge is a compliance artifact. An SBOM that shows up in the PR is a security control. Here is how to wire it up without killing velocity.
What is the Principle of Least Functionality
The principle of least functionality (NIST CM-7) means shipping only the ports, services, and code a system needs—nothing extra "just in case."
What is Defense in Depth
Defense in depth stacks independent security layers—source, build, dependencies, artifacts, runtime—so no single failure causes a breach.
What is Security by Obscurity
Security by obscurity means hiding a system instead of securing it. Here's why that bet fails, with real breaches, real CVEs, and what to build instead.