Safeguard
Tag

sbom

Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.

972 articles

Standards

Cryptographic Bill of Materials (CBOM): The Next Frontier

Post-quantum cryptography migration requires knowing what cryptographic algorithms your software uses. CBOMs provide that inventory. Here is what they are and why they matter.

Nov 10, 20247 min read
SBOM & Compliance

SBOM Quality Benchmarking: What We Found in 2024

We scored 1,200 production SBOMs in 2024 across CycloneDX and SPDX. The quality distribution is worse than advertised and we have the numbers.

Nov 8, 20245 min read
Comparisons

CycloneDX vs SPDX in Practice: Choosing an SBOM Format

Both formats are standards, both are mandated somewhere, and your tooling probably emits both. What actually differs when you run CycloneDX and SPDX in production.

Oct 23, 20246 min read
Compliance & Frameworks

CISA's SBOM Sharing Lifecycle: A Framework for Practical Adoption

CISA releases updated guidance on SBOM sharing practices, addressing the full lifecycle from generation to consumption across supplier and buyer relationships.

Oct 15, 20246 min read
Regulatory Compliance

State and Local Government SBOM Mandates

States and cities are adopting SBOM requirements faster than most vendors have noticed. A survey of where the mandates sit and what they actually require.

Oct 15, 20247 min read
Engineering

CycloneDX and SPDX: Why Safeguard Supports Both and How We Normalize Between Them

The SBOM format debate misses the point. Safeguard ingests both CycloneDX and SPDX, normalizes to a common model, and lets you query and export in either format.

Oct 15, 20247 min read
Concepts

What is an SBOM Drift

SBOM drift is the gap between what your software bill of materials claims and what the artifact actually contains. Here's how it happens and how to detect it with a diff.

Oct 8, 20247 min read
SBOM

SBOM Adoption in 2024: Enterprise Survey Results and Reality Check

Despite growing regulatory pressure, enterprise SBOM adoption remains uneven. A look at where organizations actually stand with SBOM generation, consumption, and operationalization.

Oct 1, 20246 min read
Engineering

Software Escrow and Supply Chain Continuity Planning

Most escrow deposits are write-only: nobody ever verifies they build. What escrow actually covers, when to pay for verification, and what continuity means for SaaS and OSS.

Sep 19, 20247 min read
Regulatory Compliance

PCI DSS Meets SBOM Requirements

PCI DSS v4.0.1 doesn't say the word SBOM, but its software inventory and vulnerability management requirements make one effectively mandatory. Here's how to build an SBOM program that passes a QSA review.

Sep 14, 20246 min read
DevSecOps

Security Data Lake Architecture for Supply Chain Intelligence

A security data lake aggregates SBOMs, vulnerability data, build provenance, and runtime signals into a queryable store. This architecture enables the cross-cutting analysis that siloed tools cannot provide.

Aug 15, 20247 min read
Regulatory Compliance

US DoD Zero Trust: Software Dimensions

Where the DoD Zero Trust Reference Architecture meets the software supply chain, and what program offices are actually doing about it.

Jul 25, 20247 min read
sbom (Page 74) — Safeguard Blog