vex
Safeguard articles tagged "vex" — guides, analysis, and best practices for software supply chain and application security.
22 articles
SBOM adoption: generating, distributing, and consuming SBOMs to cut supply chain risk
Four years after EO 14028, most SBOMs still sit unread in a folder. Here's how to generate, ship, and actually query one before the next Log4Shell.
SBOM (Software Bill of Materials): Frequently Asked Questions
A clear FAQ on software bills of materials in 2026 — what an SBOM is, SPDX vs CycloneDX, NTIA minimum elements, VEX, signing, and how to keep an SBOM continuously accurate.
What Is VEX (Vulnerability Exploitability eXchange)?
VEX is a machine-readable advisory that states whether a product is actually affected by a known vulnerability. Here's how its status values work and why it cuts SBOM-driven false positives.
Communicating security posture to customers/investors via...
How to turn SBOMs into a real vendor-risk communication tool for customers and investors, and where Mend.io's scan-first approach falls short.
SBOM vs. VEX: What's the Difference and When Do You Need Each?
SBOMs tell you what is in your software. VEX tells you which of those components are actually exploitable. Here is how to use both without drowning in noise.
CycloneDX 1.7 New Features Reviewed
CycloneDX 1.7 brings richer ML-BOM, better attestations, and VEX tightening. A practical review of what changed and what it means for your SBOM pipeline.
Best SBOM Management Platforms 2026 Review
A 2026 review of the best SBOM management platforms, comparing Dependency-Track, Anchore, Kusari, and Safeguard on depth and compliance.
Vulnerability Intelligence Platform Buyer Guide 2026
A senior-engineer's buyer guide for vulnerability intelligence platforms in 2026: what to evaluate, how to test, and where most procurement processes go wrong.
How to Respond When a CVE Drops in a Package You Ship
A working playbook for the day a CVE lands in your dependency tree: confirm exposure with SBOM queries, judge real exploitability, patch or mitigate, then prove it and publish VEX.
CycloneDX
CycloneDX is the OWASP-backed SBOM standard for tracking software components, vulnerabilities, and VEX statements. Here's what is CycloneDX and how it compares to SPDX.
FAQ: When Do You Need a Dedicated SBOM Tool?
When a scanner's built-in SBOM export stops being enough — signals you need a dedicated SBOM tool, what one actually does, and how to evaluate.
OpenVEX vs. CycloneDX VEX: Which to Pick
A direct comparison of OpenVEX and CycloneDX VEX in 2026, covering spec differences, tooling support, and the operational tradeoffs that actually affect your choice.