sbom
Safeguard articles tagged "sbom" — guides, analysis, and best practices for software supply chain and application security.
972 articles
How to Build a VEX Document for Your Consumers
A hands-on tutorial for producing a CSAF-VEX document that tells your customers which CVEs actually affect your product and which do not.
GraalVM Native Image Supply Chain
GraalVM native images change the supply chain story in ways that most SBOM tooling has not caught up with yet. Here is what gets baked in, what gets stripped out, and what still needs to be tracked.
Vulnerability Management at Enterprise Scale: What Actually Works
Managing vulnerabilities across thousands of applications and millions of dependencies requires fundamentally different approaches than what works for a single team. Here is what scales.
PCI DSS 4.0 Software Supply Chain Requirements Explained
PCI DSS 4.0 quietly turned component inventories, third-party code review, and payment page script control into audit line items. Here's the requirement-by-requirement map.
SBOM Visualization Tools Compared: Making Dependency Data Actionable
An SBOM in JSON or XML format is data. A visualization turns that data into insight. This comparison examines how different tools present SBOM data and which approaches work best for different audiences.
Migrating SBOM Tooling Providers
A practical field guide to switching SBOM tooling vendors without losing historical data, breaking compliance reports, or annoying the auditors.
SBOM for EdTech Platforms: Protecting Student Data Through Supply Chain Transparency
EdTech platforms handle some of the most sensitive data — children's information. FERPA, COPPA, and state student privacy laws demand supply chain visibility that most EdTech companies lack.
Executive Order 14028, Three Years Later: Progress, Gaps, and What Comes Next
Three years after the landmark cybersecurity executive order, SBOM adoption is growing but uneven, secure development attestation is rolling out, and the gap between policy and practice remains wide.
How to Meet EO 14028 Self-Attestation Requirements Step by Step
The CISA attestation form is final and the deadlines are real. Here is the step-by-step path: scope, SSDF evidence, POA&Ms, and RSAA submission.
Medical Device SBOM Requirements in Practice
SBOMs for medical devices look straightforward on paper and get complicated fast in the real world. A field report on what regulators actually accept and what engineering teams actually produce.
SPDX 3.0: What Changed and Why It Matters
SPDX 3.0 is a major overhaul of the ISO-standard SBOM format. Here is a practical breakdown of the new profile system, linking model, and what it means for adoption.
IoT Firmware SBOMs: From Nice-to-Have to Regulatory Requirement
Government mandates and industry standards are making SBOMs mandatory for IoT firmware. Here's what manufacturers need to know to comply.