sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Best open source audit tools for M&A due diligence
A practical buyer's guide to open source audit tools for M&A due diligence, comparing ScanCode, FOSSology, ORT, Syft/Grype, FOSSA, and Black Duck.
Compromise of Legitimate Upstream Packages
From xz-utils to polyfill.io, attackers increasingly compromise packages developers already trust rather than planting fakes. Here's how these attacks work and how Safeguard catches them.
Best software supply chain observability tools
A practical, no-hype buyer's guide to software supply chain observability tools -- evaluation criteria, an honest roundup of six real vendors, and where Safeguard fits.
Unmaintained Open Source Software: A Supply Chain Risk
Unmaintained open source components quietly power critical software until a bug hits and no one is left to patch it. Here's the risk, and how to manage it.
Untracked Dependencies in the Software Supply Chain
Most teams can name their direct dependencies but not the hundreds of transitive packages actually running underneath. Here's why that gap is where real supply chain attacks live.
Outdated Software Components: Quantifying the Risk
Outdated dependencies sit in nearly every codebase. Here's what Equifax and Log4Shell reveal about the real cost of unpatched software supply chain risk.
Immature Open Source Projects as a Supply Chain Risk
xz-utils, event-stream, node-ipc: a decade of supply chain incidents traces back to one root cause — thinly maintained, single-person open source projects.
License and Regulatory Risk in Open Source Components
Redis, HashiCorp, and Elastic all re-licensed core projects since 2021, and new rules like the EU Cyber Resilience Act now make license and SBOM gaps a regulatory problem.
Under/Oversized Dependency Risk in Modern Applications
Oversized dependency risk and fragile single-maintainer packages both widen your software supply chain attack surface. Here's how to spot and manage both.
AI Bill of Materials (AI-BOM) for Model Supply Chains
An AI-BOM tracks every model, dataset, and dependency in your ML pipeline so a compromised base model or license issue can be traced in minutes, not weeks.
OpenTofu and Terraform provider supply chain risk
Terraform and OpenTofu providers run unsandboxed with full pipeline credentials. Here's where the provider supply chain actually breaks down.
CVE-2019-11358: Prototype pollution in jQuery $.extend
CVE-2019-11358 lets attackers pollute Object.prototype via jQuery's $.extend() deep merge. Here's the impact, affected versions, and how to fix it.