software-supply-chain-security
Safeguard articles tagged "software-supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
494 articles
ASPM platform buyer's guide (Software Risk Manager)
A fact-based comparison of Safeguard and Black Duck's Software Risk Manager for teams evaluating ASPM platforms: architecture, SCA heritage, deployment.
What is a Software Bill of Materials workflow (SPDX/SBOM)...
A practical breakdown of SPDX-based SBOM compliance workflows — NTIA rules, EU CRA and FDA deadlines, where Black Duck falls short, and how continuous SBOM generation closes the gap.
How to Audit the Dependencies of an AI Agent
An AI agent's dependency tree spans packages, MCP servers, models, and system prompts. A step-by-step audit method that actually enumerates all four layers.
BSIMM16 report: benchmarking software security program ma...
BSIMM16 shows AI now drives more security program change than any other force, with 111 firms assessed and SBOM use up nearly 30%. Here's what it means — and its blind spots.
Open source license compliance and risk management
How to manage open source license risk beyond point-in-time scans: copyleft traps, MongoDB/Elastic relicensing, and why continuous checks beat Black Duck-style audits.
Financial services application security compliance
PCI DSS 4.0, DORA, and NYDFS 500 now demand provable SBOM and provenance evidence — see where legacy SCA tools like Black Duck fall short for financial services teams.
Public sector / government application security requirements
EO 14028, CISA's attestation form, and FedRAMP have made government application security compliance its own discipline. Here's what's required and where legacy SCA tools like Black Duck fall short.
Best Vulnerability Management Tools in 2026: An Honest Buyer's Guide
An honest guide to the best vulnerability management tools in 2026 — from broad asset scanners like Tenable, Qualys, and Rapid7 to cloud-native Wiz and reachability-driven SCA from Snyk and Endor Labs — with a clear 'best for' for each and where Safeguard fits.
Cybersecurity Research Center (CyRC): vulnerability resea...
What is Black Duck's CyRC, how does it research and disclose vulnerabilities, and where do its coverage gaps leave your open source supply chain exposed?
Compare Sonatype / Why Choose Sonatype
Comparing Safeguard and Sonatype on origin, CVE-vs-malicious-package coverage, AI-agent (MCP) support, and CI/CD fit — a practical guide to Sonatype alternatives.
Sonatype Nexus Repository Manager Alternatives
Evaluating Nexus Repository Manager alternatives? A concrete look at reachability analysis, scanner fusion, auto-fix, and AI/MCP governance versus Sonatype.
How to evaluate software supply chain security vendors us...
A practical framework for evaluating software supply chain security vendors on verifiable dimensions—SBOM support, provenance, deployment model—rather than analyst labels alone.