Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

Buyer's Guides

Best open source audit tools for M&A due diligence

A practical buyer's guide to open source audit tools for M&A due diligence, comparing ScanCode, FOSSology, ORT, Syft/Grype, FOSSA, and Black Duck.

Nov 5, 20258 min read
Open Source Security

Compromise of Legitimate Upstream Packages

From xz-utils to polyfill.io, attackers increasingly compromise packages developers already trust rather than planting fakes. Here's how these attacks work and how Safeguard catches them.

Nov 4, 20257 min read
Buyer's Guides

Best software supply chain observability tools

A practical, no-hype buyer's guide to software supply chain observability tools -- evaluation criteria, an honest roundup of six real vendors, and where Safeguard fits.

Nov 4, 20258 min read
Open Source Security

Unmaintained Open Source Software: A Supply Chain Risk

Unmaintained open source components quietly power critical software until a bug hits and no one is left to patch it. Here's the risk, and how to manage it.

Nov 3, 20257 min read
Software Supply Chain Security

Untracked Dependencies in the Software Supply Chain

Most teams can name their direct dependencies but not the hundreds of transitive packages actually running underneath. Here's why that gap is where real supply chain attacks live.

Nov 3, 20257 min read
Software Supply Chain Security

Outdated Software Components: Quantifying the Risk

Outdated dependencies sit in nearly every codebase. Here's what Equifax and Log4Shell reveal about the real cost of unpatched software supply chain risk.

Nov 3, 20258 min read
Open Source Security

Immature Open Source Projects as a Supply Chain Risk

xz-utils, event-stream, node-ipc: a decade of supply chain incidents traces back to one root cause — thinly maintained, single-person open source projects.

Nov 3, 20257 min read
Regulatory Compliance

License and Regulatory Risk in Open Source Components

Redis, HashiCorp, and Elastic all re-licensed core projects since 2021, and new rules like the EU Cyber Resilience Act now make license and SBOM gaps a regulatory problem.

Nov 2, 20258 min read
Open Source Security

Under/Oversized Dependency Risk in Modern Applications

Oversized dependency risk and fragile single-maintainer packages both widen your software supply chain attack surface. Here's how to spot and manage both.

Nov 2, 20257 min read
Software Supply Chain Security

AI Bill of Materials (AI-BOM) for Model Supply Chains

An AI-BOM tracks every model, dataset, and dependency in your ML pipeline so a compromised base model or license issue can be traced in minutes, not weeks.

Nov 2, 20257 min read
Cloud Security

OpenTofu and Terraform provider supply chain risk

Terraform and OpenTofu providers run unsandboxed with full pipeline credentials. Here's where the provider supply chain actually breaks down.

Nov 1, 20257 min read
Vulnerability Analysis

CVE-2019-11358: Prototype pollution in jQuery $.extend

CVE-2019-11358 lets attackers pollute Object.prototype via jQuery's $.extend() deep merge. Here's the impact, affected versions, and how to fix it.

Oct 15, 20257 min read
sbom (Page 66) — Safeguard Blog