Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

Open Source Security

Reconstructing a Real-World Dependency Confusion Incident...

A step-by-step reconstruction of a real dependency confusion attack, from malicious package upload to remediation, and how to defend your pipeline.

Jul 31, 20257 min read
SBOM

Why 'We Have an SBOM' Isn't the Same as 'We Are Secure'

An SBOM tells you what's in your software, not whether it's safe. Here's why inventory alone can't stop supply chain attacks like XZ Utils or SolarWinds.

Jul 30, 20257 min read
Buyer's Guides

SBOM Format Wars: CycloneDX vs SPDX in Practice

CycloneDX and SPDX both claim to be "the" SBOM standard. Here's where they actually diverge on VEX support, license compliance, and government mandates — and which to pick.

Jul 30, 20257 min read
SBOM

The Gap Between SBOM Generation and SBOM Consumption

Most companies generate SBOMs to satisfy a compliance checkbox, then let them sit unread. Here is why SBOM consumption lags generation, and how to close the gap.

Jul 29, 20257 min read
SBOM

Regulatory Pressure and the Uneven Global Adoption of SBOMs

SBOM mandates now span the US, EU, and Japan, but each uses different formats, deadlines, and penalties. Here's how the patchwork actually works.

Jul 29, 20258 min read
SBOM

VEX Documents: The Missing Context That Makes SBOMs Actio...

SBOMs list every component but stay silent on whether a CVE is actually exploitable. VEX documents supply that missing context — here's how the standard works.

Jul 29, 20257 min read
SBOM

Why Most SBOMs Go Stale the Day They're Generated

SBOMs decay the moment they're generated because dependency trees shift daily. Here's why point-in-time SBOMs fail during real incidents—and what continuous generation requires.

Jul 29, 20257 min read
SBOM

AI-BOMs: Extending Bill-of-Materials Thinking to Machine ...

AI-BOMs extend SBOM discipline to machine learning models—tracking training data, weights, and lineage. Here's what they contain and why regulators now require them.

Jul 28, 20257 min read
SBOM

Third-Party SBOM Trust: Can You Verify a Vendor's Bill of...

A vendor's SBOM is a claim, not proof. Here's what actually verifies third-party software bills of materials — and why signatures alone aren't enough.

Jul 28, 20258 min read
SBOM

Federal Procurement Rules and Their Ripple Effect on Priv...

Federal rules from EO 14028 to FDA Section 524B and CMMC 2.0 have made SBOMs a procurement baseline — and the requirements are cascading into private-sector supply chains too.

Jul 28, 20257 min read
SBOM

From Inventory to Insight: Turning SBOM Data Into Priorit...

A complete SBOM often surfaces thousands of CVEs. Here's how reachability, exploitability, and business context turn that noise into a prioritized action plan.

Jul 28, 20258 min read
Open Source Security

The Unpaid Labor Behind Critical Internet Infrastructure

Open source runs on unpaid maintainer labor. From xz-utils to Log4Shell to colors.js, we examine why burnout became a top supply chain security risk.

Jul 27, 20257 min read
sbom (Page 71) — Safeguard Blog