sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Snyk vs Aikido Security Comparison
Comparing Snyk and Aikido as code scanners misses the bigger question: can you prove what actually shipped? Here's where Safeguard's supply chain security fits.
Best SBOM Tools (2026): An Honest FAQ
A balanced 2026 FAQ on the best SBOM tools — how Syft, Trivy, Dependency-Track, Sonatype, Black Duck, and Safeguard compare, and when a generator is enough versus a platform.
The XZ Utils backdoor CVE-2024-3094 explained
CVE-2024-3094 hid a remote-access backdoor inside xz-utils via a years-long social engineering campaign. Here's the timeline, impact, and fix.
event-stream npm package backdoor incident
How a routine maintainer handoff let attackers slip a Bitcoin-stealing backdoor into event-stream, hitting millions of npm installs for ten weeks.
ua-parser-js npm hijack incident
In 2021, a hijacked npm account pushed cryptomining and password-stealing malware into ua-parser-js for 4 hours. Here's what happened and how to catch it faster.
What Is Application Security (AppSec) 101
AppSec used to mean scanning code for known bugs. Here's why that's no longer enough, what CVE-matching tools like Snyk miss, and what a real supply chain security program requires.
Black Duck Alternatives in 2026: An Honest Buyer's Guide
A balanced comparison of the leading Black Duck alternatives in 2026 — Snyk, Mend, Sonatype, FOSSA, Trivy, and Safeguard — with candid pros, cons, and a framework for choosing.
C++ Security Best Practices: Memory Safety, Hardening Flags, and the C/C++ Supply Chain
Microsoft attributes roughly 70% of its CVEs to memory-safety bugs, and the xz backdoor proved the C/C++ supply chain is a live target. Here is the practical hardening path for code you can't rewrite.
How to Get Into Software Supply Chain Security
Software supply chain security is one of the hottest specialties in the field—and one of the least crowded. Here is how students and career-changers can break into it, from the core concepts to a portfolio that stands out.
node-ipc protestware targeting Russia/Belarus IPs
In March 2022, node-ipc's maintainer shipped code wiping files on Russian and Belarusian machines. Here's what happened, how it spread, and how to catch it next time.
NuGet Supply Chain Security: Protecting Your .NET Dependencies
How NuGet supply chain attacks work, from dependency confusion to typosquatting, and the concrete controls, lock files, source mapping, and signing, that lock down your .NET build.
SBOMs and Executive Order 14028: how a 2021 order reshaped software supply chain policy
Executive Order 14028 made the software bill of materials a matter of federal policy. Here's the story of how it happened, what it requires, and what it means for you in 2026.