sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
SBOM requirements for industrial control systems (ICS/SCADA)
ICS/SCADA SBOM requirements are colliding with 20-year-old control systems that predate software transparency mandates. Here's what's required, why, and how to close the gap.
TSA pipeline cybersecurity directive and software supply ...
A breakdown of TSA's pipeline cybersecurity directives and the software supply chain requirements they impose on operators and oil and gas vendors alike.
SBOM Compliance in 2025: Tracking Global Mandates and Deadlines
SBOM requirements are now embedded in regulations across the US, EU, Japan, and beyond. A practical tracker of what is required, by whom, and by when.
CycloneDX 1.7 Ratified as ECMA-424 2nd Edition (December 2025)
CycloneDX v1.7 was adopted as ECMA-424, 2nd Edition by the Ecma General Assembly in December 2025. We unpack citations, cryptographic assets, and distribution constraints.
CycloneDX 1.7 Deep Dive: Cryptography, Citations, and Patents
CycloneDX 1.7 released in October 2025 with first-class cryptography metadata, a new Citations element, and patent-aware IP fields. We walk through what changed and which producers should adopt now.
Hardcoded credentials vulnerabilities explained
Hardcoded credentials (CWE-798) have caused real breaches at Uber, Toyota, and Mercedes-Benz. Here's how they happen, how common they are, and how to fix them.
CI/CD pipeline supply chain attacks explained
A breakdown of how CI/CD supply chain attacks work, from SolarWinds to the 2025 tj-actions/changed-files breach, and how to detect and stop them.
How to detect malicious npm packages
Real npm supply chain attacks — event-stream, ua-parser-js, node-ipc, and the 2025 chalk/debug breach — show how to spot and stop malicious packages.
Subresource integrity bypass explained
SRI hashes can't stop what happens before the hash is made. How polyfill.io, British Airways, and event-stream exposed real gaps in browser integrity checks.
Secrets leakage in Docker images explained
How credentials get baked into Docker image layers, real incidents that exposed them, and how to detect and stop secrets leakage in container images.
What Is a Build Artifact?
A build artifact is the packaged output your build process produces from source code. Here is why artifacts are a critical supply chain checkpoint and how to verify their provenance.
npm prototype pollution trends report 2025
Safeguard's 2025 analysis of npm prototype pollution advisories reveals rising volume, deeper transitive exposure, and why reachability—not CVSS alone—now separates real risk from noise.