sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Why Maintainer Burnout Is a Security Metric, Not Just an ...
The xz Utils backdoor started with a burned-out maintainer, not a zero-day. Here's why maintainer fatigue belongs in your supply chain risk model.
Corporate Dependence on Volunteer-Maintained Projects: A ...
Corporations run on code that volunteers maintain for free. Here's a data-backed risk map—from left-pad to the xz-utils backdoor—and how to manage it.
What Would It Actually Cost Companies to Fund Their Criti...
Heartbleed, Log4Shell, and the 2024 xz backdoor all trace back to unpaid maintainers. Here's what it would actually cost companies to fund the dependencies they depend on.
How Sponsorship Models (GitHub Sponsors, Tidelift, Open C...
GitHub Sponsors, Tidelift, and Open Collective pay maintainers in very different ways. Here's how their fees, payouts, and security guarantees actually compare.
Measuring Project Health: Bus Factor, Commit Velocity, an...
Bus factor, commit velocity, and maintainer concentration predicted the xz-utils and event-stream incidents before any CVE did. Here's how to read these proxies — and where they mislead.
Cloud-to-Code Traceability: Connecting Production Inciden...
When a production alert fires, it names an IP or image hash—rarely a commit or author. Here's why that gap exists and how to close it fast.
Agent Skill Marketplaces as the Next Frontier for Supply ...
Agent skill marketplaces are repeating npm and PyPI's supply chain mistakes—except the malicious payload is often a sentence of instructions, not code. Here's what's already been exploited.
SCA Security Testing: A Workflow Guide
SCA security testing only works when it's wired into an actual development workflow — here's what that pipeline looks like from commit to merge to production monitoring.
Why Small Teams Often Outperform Large Enterprises on Fix...
Small teams often patch critical CVEs in hours while enterprises take weeks — not because of talent, but process. Here's why, and how to close the gap.
Reading Between the Lines of Vendor Research Reports: A M...
Vendor-sponsored security reports shape budgets and policy, but their methodologies rarely survive scrutiny. Here's how to read them critically.
Log4Shell Three Years Later: Which Fixes Actually Stuck?
Three years after Log4Shell's disclosure, which fixes actually held? A look back at CVE-2021-44228's timeline, CVSS/EPSS/KEV context, and lingering exposure.
Writing a Deprecation Policy for Third-Party Components
End-of-life libraries leave codebases only when something forces them out. A written component deprecation policy with triggers, timelines, and CI gates does the forcing on your schedule, not an attacker's.