Safeguard
Tag

vex

Safeguard articles tagged "vex" — guides, analysis, and best practices for software supply chain and application security.

22 articles

Supply Chain Security

SBOM adoption: generating, distributing, and consuming SBOMs to cut supply chain risk

Four years after EO 14028, most SBOMs still sit unread in a folder. Here's how to generate, ship, and actually query one before the next Log4Shell.

Jul 8, 20266 min read
FAQ

SBOM (Software Bill of Materials): Frequently Asked Questions

A clear FAQ on software bills of materials in 2026 — what an SBOM is, SPDX vs CycloneDX, NTIA minimum elements, VEX, signing, and how to keep an SBOM continuously accurate.

Jul 2, 20266 min read
Concepts

What Is VEX (Vulnerability Exploitability eXchange)?

VEX is a machine-readable advisory that states whether a product is actually affected by a known vulnerability. Here's how its status values work and why it cuts SBOM-driven false positives.

Jul 2, 20266 min read
SBOM

Communicating security posture to customers/investors via...

How to turn SBOMs into a real vendor-risk communication tool for customers and investors, and where Mend.io's scan-first approach falls short.

May 23, 20267 min read
SBOM

SBOM vs. VEX: What's the Difference and When Do You Need Each?

SBOMs tell you what is in your software. VEX tells you which of those components are actually exploitable. Here is how to use both without drowning in noise.

Apr 15, 20268 min read
SBOM & Compliance

CycloneDX 1.7 New Features Reviewed

CycloneDX 1.7 brings richer ML-BOM, better attestations, and VEX tightening. A practical review of what changed and what it means for your SBOM pipeline.

Apr 5, 20266 min read
Best Practices

Best SBOM Management Platforms 2026 Review

A 2026 review of the best SBOM management platforms, comparing Dependency-Track, Anchore, Kusari, and Safeguard on depth and compliance.

Mar 15, 20267 min read
Vulnerability Management

Vulnerability Intelligence Platform Buyer Guide 2026

A senior-engineer's buyer guide for vulnerability intelligence platforms in 2026: what to evaluate, how to test, and where most procurement processes go wrong.

Mar 11, 20265 min read
Guides

How to Respond When a CVE Drops in a Package You Ship

A working playbook for the day a CVE lands in your dependency tree: confirm exposure with SBOM queries, judge real exploitability, patch or mitigate, then prove it and publish VEX.

Mar 6, 20266 min read
Software Supply Chain Security

CycloneDX

CycloneDX is the OWASP-backed SBOM standard for tracking software components, vulnerabilities, and VEX statements. Here's what is CycloneDX and how it compares to SPDX.

Mar 3, 20267 min read
Best Practices

FAQ: When Do You Need a Dedicated SBOM Tool?

When a scanner's built-in SBOM export stops being enough — signals you need a dedicated SBOM tool, what one actually does, and how to evaluate.

Feb 22, 20267 min read
SBOM

OpenVEX vs. CycloneDX VEX: Which to Pick

A direct comparison of OpenVEX and CycloneDX VEX in 2026, covering spec differences, tooling support, and the operational tradeoffs that actually affect your choice.

Feb 11, 20266 min read
vex — Safeguard Blog