SBOM & Compliance
Signed SBOMs As Procurement Leverage
Unsigned SBOMs are paperwork. Signed SBOMs with in-toto attestations are leverage. Here is how mature procurement programmes use signing to harden vendor relationships.
Feb 27, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Unsigned SBOMs are paperwork. Signed SBOMs with in-toto attestations are leverage. Here is how mature procurement programmes use signing to harden vendor relationships.
The Safeguard Research team measured SBOM quality across ecosystems and generators. The gaps between formats, tools, and languages are larger than most teams assume.
Generating accurate SBOMs for firmware and IoT devices remains one of the toughest challenges in supply chain security. Here's the current state of the art.
How EU DORA is reshaping software supply chain expectations for financial services in 2026, with practical guidance on ICT third-party risk, SBOMs, and incident reporting.
When a scanner's built-in SBOM export stops being enough — signals you need a dedicated SBOM tool, what one actually does, and how to evaluate.
If you sell software to the US government, SBOM requirements are now non-negotiable. Here's a practical playbook for compliance.
Why multi-architecture container images break assumptions baked into signing, SBOM, and attestation tooling, and how to build a multi-arch pipeline that stays verifiable.
You cannot secure what you cannot enumerate. Griffin AI maintains a typed inventory of every model, version, and deployment across a tenant. Mythos-class tools approximate the inventory in prose.
KubeCon + CloudNativeCon NA 2025 put supply chain security at the center of the cloud-native conversation. Here is what mattered for platform teams.
Weekly insights on software supply chain security, delivered to your inbox.