sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Reconstructing a Real-World Dependency Confusion Incident...
A step-by-step reconstruction of a real dependency confusion attack, from malicious package upload to remediation, and how to defend your pipeline.
Why 'We Have an SBOM' Isn't the Same as 'We Are Secure'
An SBOM tells you what's in your software, not whether it's safe. Here's why inventory alone can't stop supply chain attacks like XZ Utils or SolarWinds.
SBOM Format Wars: CycloneDX vs SPDX in Practice
CycloneDX and SPDX both claim to be "the" SBOM standard. Here's where they actually diverge on VEX support, license compliance, and government mandates — and which to pick.
The Gap Between SBOM Generation and SBOM Consumption
Most companies generate SBOMs to satisfy a compliance checkbox, then let them sit unread. Here is why SBOM consumption lags generation, and how to close the gap.
Regulatory Pressure and the Uneven Global Adoption of SBOMs
SBOM mandates now span the US, EU, and Japan, but each uses different formats, deadlines, and penalties. Here's how the patchwork actually works.
VEX Documents: The Missing Context That Makes SBOMs Actio...
SBOMs list every component but stay silent on whether a CVE is actually exploitable. VEX documents supply that missing context — here's how the standard works.
Why Most SBOMs Go Stale the Day They're Generated
SBOMs decay the moment they're generated because dependency trees shift daily. Here's why point-in-time SBOMs fail during real incidents—and what continuous generation requires.
AI-BOMs: Extending Bill-of-Materials Thinking to Machine ...
AI-BOMs extend SBOM discipline to machine learning models—tracking training data, weights, and lineage. Here's what they contain and why regulators now require them.
Third-Party SBOM Trust: Can You Verify a Vendor's Bill of...
A vendor's SBOM is a claim, not proof. Here's what actually verifies third-party software bills of materials — and why signatures alone aren't enough.
Federal Procurement Rules and Their Ripple Effect on Priv...
Federal rules from EO 14028 to FDA Section 524B and CMMC 2.0 have made SBOMs a procurement baseline — and the requirements are cascading into private-sector supply chains too.
From Inventory to Insight: Turning SBOM Data Into Priorit...
A complete SBOM often surfaces thousands of CVEs. Here's how reachability, exploitability, and business context turn that noise into a prioritized action plan.
The Unpaid Labor Behind Critical Internet Infrastructure
Open source runs on unpaid maintainer labor. From xz-utils to Log4Shell to colors.js, we examine why burnout became a top supply chain security risk.