Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A pragmatic 90-day blueprint for standing up an SBOM program that survives auditor scrutiny, procurement reviews, and incident response without burning out your platform team.
AI models are now first-class supply chain components. Here is how an AI-BOM captures lineage, datasets, runtimes, and evaluations in a way that survives audit.
CycloneDX 1.7 brings richer ML-BOM, better attestations, and VEX tightening. A practical review of what changed and what it means for your SBOM pipeline.
Procurement that asks for a PDF security questionnaire is buying paperwork. SBOM-driven onboarding turns vendor risk into queryable, comparable, and enforceable data.
A senior-engineer comparison of CycloneDX and SPDX in 2026, covering field coverage, tooling, AI-BOM support, VEX, and the practical trade-offs for your programme.
Auditors do not score SBOMs on file count. They check a small set of fields that prove the artefact is real, current, and tied to a verifiable build. Here are the ones that matter.
An SBOM without VEX is a noise machine. Here is how disciplined VEX authoring cuts vulnerability backlogs by 70-90% while improving defensibility, not weakening it.
An SBOM is a list. A reachability-prioritised SBOM is a triage queue. The difference determines whether the SBOM produces value or sits unread.
Article 10 turns training data governance into a legal obligation. AI-BOM is how you prove it. A practical mapping of what the regulation expects to what the artefact captures.
Weekly insights on software supply chain security, delivered to your inbox.