standards
Safeguard articles tagged "standards" — guides, analysis, and best practices for software supply chain and application security.
10 articles
CycloneDX 1.7 Migration Guide From 1.5
A practical migration path from CycloneDX 1.5 to 1.7 covering schema changes, machine learning BOM additions, formulation, and the tooling adjustments required.
SPDX 3.0 Feature Overview for 2026
What changed in SPDX 3.0 and the 3.0.1 patch release: the profile model, AI and dataset profiles, serialization choices, and what to migrate first.
AI-BOM and ML-BOM: The State of Standards in 2026
Where AI-BOM and ML-BOM specifications stand in 2026, which formats have real adoption, and what to capture today even if the standards are still in motion.
CycloneDX 1.7 Ratified as ECMA-424 2nd Edition (December 2025)
CycloneDX v1.7 was adopted as ECMA-424, 2nd Edition by the Ecma General Assembly in December 2025. We unpack citations, cryptographic assets, and distribution constraints.
OWASP ASVS 5.0 Adoption Guide
OWASP ASVS 5.0 restructured the verification levels and added new requirements for modern stacks. A practical adoption guide for teams using ASVS as their security baseline.
SPDX 3.0.1: The Patch Release That Cleared ISO and OMG Submission
SPDX 3.0.1 was announced on December 27, 2024, bundling fixes from 3.0.0 implementation and the edits required for OMG SPDX/3.0 and ISO/IEC submission.
Cryptographic Bill of Materials (CBOM): The Next Frontier
Post-quantum cryptography migration requires knowing what cryptographic algorithms your software uses. CBOMs provide that inventory. Here is what they are and why they matter.
CycloneDX and SPDX: Why Safeguard Supports Both and How We Normalize Between Them
The SBOM format debate misses the point. Safeguard ingests both CycloneDX and SPDX, normalizes to a common model, and lets you query and export in either format.
SBOMs for AI/ML Models: Why Machine Learning Needs a Bill of Materials
As AI models become critical infrastructure, the need for transparency about their components, training data, and dependencies grows urgent. Emerging standards are beginning to address this gap.
CycloneDX Specification Deep Dive: Beyond the Basics
CycloneDX is more than a component list. This deep dive covers services, vulnerabilities, compositions, and the parts of the spec most teams overlook.