Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

Open Source Security

Why Maintainer Burnout Is a Security Metric, Not Just an ...

The xz Utils backdoor started with a burned-out maintainer, not a zero-day. Here's why maintainer fatigue belongs in your supply chain risk model.

Jul 27, 20256 min read
Open Source Security

Corporate Dependence on Volunteer-Maintained Projects: A ...

Corporations run on code that volunteers maintain for free. Here's a data-backed risk map—from left-pad to the xz-utils backdoor—and how to manage it.

Jul 27, 20257 min read
Open Source Security

What Would It Actually Cost Companies to Fund Their Criti...

Heartbleed, Log4Shell, and the 2024 xz backdoor all trace back to unpaid maintainers. Here's what it would actually cost companies to fund the dependencies they depend on.

Jul 27, 20257 min read
Buyer's Guides

How Sponsorship Models (GitHub Sponsors, Tidelift, Open C...

GitHub Sponsors, Tidelift, and Open Collective pay maintainers in very different ways. Here's how their fees, payouts, and security guarantees actually compare.

Jul 26, 20258 min read
Open Source Security

Measuring Project Health: Bus Factor, Commit Velocity, an...

Bus factor, commit velocity, and maintainer concentration predicted the xz-utils and event-stream incidents before any CVE did. Here's how to read these proxies — and where they mislead.

Jul 25, 20259 min read
Cloud Security

Cloud-to-Code Traceability: Connecting Production Inciden...

When a production alert fires, it names an IP or image hash—rarely a commit or author. Here's why that gap exists and how to close it fast.

Jul 24, 20258 min read
AI Security

Agent Skill Marketplaces as the Next Frontier for Supply ...

Agent skill marketplaces are repeating npm and PyPI's supply chain mistakes—except the malicious payload is often a sentence of instructions, not code. Here's what's already been exploited.

Jul 22, 20257 min read
Supply Chain

SCA Security Testing: A Workflow Guide

SCA security testing only works when it's wired into an actual development workflow — here's what that pipeline looks like from commit to merge to production monitoring.

Jul 21, 20255 min read
DevSecOps

Why Small Teams Often Outperform Large Enterprises on Fix...

Small teams often patch critical CVEs in hours while enterprises take weeks — not because of talent, but process. Here's why, and how to close the gap.

Jul 17, 20256 min read
Industry Analysis

Reading Between the Lines of Vendor Research Reports: A M...

Vendor-sponsored security reports shape budgets and policy, but their methodologies rarely survive scrutiny. Here's how to read them critically.

Jul 13, 20257 min read
Industry Analysis

Log4Shell Three Years Later: Which Fixes Actually Stuck?

Three years after Log4Shell's disclosure, which fixes actually held? A look back at CVE-2021-44228's timeline, CVSS/EPSS/KEV context, and lingering exposure.

Jul 13, 20257 min read
Governance

Writing a Deprecation Policy for Third-Party Components

End-of-life libraries leave codebases only when something forces them out. A written component deprecation policy with triggers, timelines, and CI gates does the forcing on your schedule, not an attacker's.

Jun 24, 20255 min read
sbom (Page 72) — Safeguard Blog