sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
What a Decade of Open Source Vulnerability Data Tells Us ...
CVEs grew sixfold in a decade. Here is what a decade of open source vulnerability trends reveals about ecosystem maturity, from Log4Shell to the xz backdoor.
The Economics of Free Riding in Open Source Security
Open source runs on unpaid labor while billion-dollar companies use it for free. Here's the economics behind Log4Shell, xz-utils, and the free rider problem.
From Log4Shell to Now: What Changed and What Didn't in Su...
Three years after Log4Shell, Log4j is still found in production systems. Here is what the industry fixed, what it didn't, and why the risk persists.
Do Bug Bounties Actually Reduce Open Source Risk? An Inde...
Bug bounties didn't catch Log4Shell or the XZ Utils backdoor. An independent look at what OSS bounty programs actually cover — and where they structurally fall short.
Binary SBOM Analysis: Creating Software Bills of Materials Without Source Code
Not all software comes with source code. Binary analysis techniques can extract component information from compiled artifacts, firmware, and commercial software to produce SBOMs where traditional tools cannot.
The False Sense of Security Effect in AI-Assisted Develop...
AI coding assistants make developers write faster and trust more — even when the code is less secure. Here's what the data shows, and how to close the gap.
Governance Frameworks Emerging for AI-Assisted Software D...
NIST, ISO 42001, and the EU AI Act now shape how teams must govern AI-generated code. Here's what an AI code governance framework actually requires in practice.
Startups vs Enterprises: Why Smaller Cloud Footprints Are...
Smaller cloud footprints feel safer, but startups often face a higher per-workload security incident rate than enterprises. Here's why size is the wrong safety proxy.
Runtime Detection vs Static Scanning: Closing the Cloud-t...
Static scanners miss what only shows up at runtime. See why the cloud-to-code visibility gap causes months-long breach dwell times, and how to close it.
The Cost Multiplier Effect of Fixing Vulnerabilities in P...
A misconfigured base image caught at build time costs minutes to fix. Found in production, the same CVE triggers incident response and audits.
Why Container Registries Are an Underexamined Supply Chai...
Registries decide what code actually runs in production, yet most security programs treat them as passive storage. Here's why that's a costly blind spot.
SBOM Quality Metrics: Moving Beyond Completeness
Most SBOM quality discussions stop at completeness. Real quality requires measuring accuracy, freshness, depth, and actionability. Here is a practical framework.