sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
Cryptographic Bill of Materials (CBOM): The Next Frontier
Post-quantum cryptography migration requires knowing what cryptographic algorithms your software uses. CBOMs provide that inventory. Here is what they are and why they matter.
SBOM Quality Benchmarking: What We Found in 2024
We scored 1,200 production SBOMs in 2024 across CycloneDX and SPDX. The quality distribution is worse than advertised and we have the numbers.
CycloneDX vs SPDX in Practice: Choosing an SBOM Format
Both formats are standards, both are mandated somewhere, and your tooling probably emits both. What actually differs when you run CycloneDX and SPDX in production.
CISA's SBOM Sharing Lifecycle: A Framework for Practical Adoption
CISA releases updated guidance on SBOM sharing practices, addressing the full lifecycle from generation to consumption across supplier and buyer relationships.
State and Local Government SBOM Mandates
States and cities are adopting SBOM requirements faster than most vendors have noticed. A survey of where the mandates sit and what they actually require.
CycloneDX and SPDX: Why Safeguard Supports Both and How We Normalize Between Them
The SBOM format debate misses the point. Safeguard ingests both CycloneDX and SPDX, normalizes to a common model, and lets you query and export in either format.
What is an SBOM Drift
SBOM drift is the gap between what your software bill of materials claims and what the artifact actually contains. Here's how it happens and how to detect it with a diff.
SBOM Adoption in 2024: Enterprise Survey Results and Reality Check
Despite growing regulatory pressure, enterprise SBOM adoption remains uneven. A look at where organizations actually stand with SBOM generation, consumption, and operationalization.
Software Escrow and Supply Chain Continuity Planning
Most escrow deposits are write-only: nobody ever verifies they build. What escrow actually covers, when to pay for verification, and what continuity means for SaaS and OSS.
PCI DSS Meets SBOM Requirements
PCI DSS v4.0.1 doesn't say the word SBOM, but its software inventory and vulnerability management requirements make one effectively mandatory. Here's how to build an SBOM program that passes a QSA review.
Security Data Lake Architecture for Supply Chain Intelligence
A security data lake aggregates SBOMs, vulnerability data, build provenance, and runtime signals into a queryable store. This architecture enables the cross-cutting analysis that siloed tools cannot provide.
US DoD Zero Trust: Software Dimensions
Where the DoD Zero Trust Reference Architecture meets the software supply chain, and what program offices are actually doing about it.