SBOM & Compliance
SBOM Cross-Vendor Normalisation: Enterprise Program
Vendor SBOMs arrive in every shape and size. Without disciplined normalisation, your ingest store is a junk drawer. Here is how mature programmes solve it.
Mar 9, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Vendor SBOMs arrive in every shape and size. Without disciplined normalisation, your ingest store is a junk drawer. Here is how mature programmes solve it.
When a critical CVE drops, the only number that matters is minutes-to-blast-radius. Here is how a well-run SBOM programme answers the question in under five minutes.
Unsigned SBOMs are paperwork. Signed SBOMs with in-toto attestations are leverage. Here is how mature procurement programmes use signing to harden vendor relationships.
Fulcio issues short-lived certificates for keyless signing. Here is the enterprise view of how those certificates are issued, validated, and woven into long-term trust.
Six tools generate SBOMs from Java projects. They disagree on transitive depth, license fields, and licensing of their own output. A head-to-head.
Generating provenance is half the story. Consuming it correctly, at the right points in the pipeline, is where the security value actually materialises.
We scored 1,200 production SBOMs in 2024 across CycloneDX and SPDX. The quality distribution is worse than advertised and we have the numbers.
Python packages on PyPI can carry SLSA provenance via PEP 740. Here is the publish workflow, the verification story, and the parts that still do not quite fit together.
Witness turns build steps into a chain of signed attestations. Here is how we use it in production pipelines, what it does well, and where the edges still cut.
Weekly insights on software supply chain security, delivered to your inbox.