Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

SBOM

SBOM requirements for industrial control systems (ICS/SCADA)

ICS/SCADA SBOM requirements are colliding with 20-year-old control systems that predate software transparency mandates. Here's what's required, why, and how to close the gap.

Dec 22, 20257 min read
Regulatory Compliance

TSA pipeline cybersecurity directive and software supply ...

A breakdown of TSA's pipeline cybersecurity directives and the software supply chain requirements they impose on operators and oil and gas vendors alike.

Dec 21, 20257 min read
Compliance

SBOM Compliance in 2025: Tracking Global Mandates and Deadlines

SBOM requirements are now embedded in regulations across the US, EU, Japan, and beyond. A practical tracker of what is required, by whom, and by when.

Dec 20, 20257 min read
Standards

CycloneDX 1.7 Ratified as ECMA-424 2nd Edition (December 2025)

CycloneDX v1.7 was adopted as ECMA-424, 2nd Edition by the Ecma General Assembly in December 2025. We unpack citations, cryptographic assets, and distribution constraints.

Dec 15, 20255 min read
Standards

CycloneDX 1.7 Deep Dive: Cryptography, Citations, and Patents

CycloneDX 1.7 released in October 2025 with first-class cryptography metadata, a new Citations element, and patent-aware IP fields. We walk through what changed and which producers should adopt now.

Dec 9, 20257 min read
Vulnerability Analysis

Hardcoded credentials vulnerabilities explained

Hardcoded credentials (CWE-798) have caused real breaches at Uber, Toyota, and Mercedes-Benz. Here's how they happen, how common they are, and how to fix them.

Dec 8, 20257 min read
Vulnerability Analysis

CI/CD pipeline supply chain attacks explained

A breakdown of how CI/CD supply chain attacks work, from SolarWinds to the 2025 tj-actions/changed-files breach, and how to detect and stop them.

Dec 7, 20256 min read
Vulnerability Analysis

How to detect malicious npm packages

Real npm supply chain attacks — event-stream, ua-parser-js, node-ipc, and the 2025 chalk/debug breach — show how to spot and stop malicious packages.

Dec 7, 20256 min read
Vulnerability Analysis

Subresource integrity bypass explained

SRI hashes can't stop what happens before the hash is made. How polyfill.io, British Airways, and event-stream exposed real gaps in browser integrity checks.

Dec 6, 20257 min read
Vulnerability Analysis

Secrets leakage in Docker images explained

How credentials get baked into Docker image layers, real incidents that exposed them, and how to detect and stop secrets leakage in container images.

Dec 3, 20257 min read
Concepts

What Is a Build Artifact?

A build artifact is the packaged output your build process produces from source code. Here is why artifacts are a critical supply chain checkpoint and how to verify their provenance.

Dec 2, 20256 min read
Open Source Security

npm prototype pollution trends report 2025

Safeguard's 2025 analysis of npm prototype pollution advisories reveals rising volume, deeper transitive exposure, and why reachability—not CVSS alone—now separates real risk from noise.

Dec 1, 20257 min read
sbom (Page 60) — Safeguard Blog