Best Practices
FAQ: CycloneDX vs SPDX — Which to Use?
Practical answers to the most common CycloneDX vs SPDX questions: differences, tooling, regulatory preference, VEX support, and when to emit both.
Feb 4, 20266 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Practical answers to the most common CycloneDX vs SPDX questions: differences, tooling, regulatory preference, VEX support, and when to emit both.
A pragmatic architecture for ingesting, normalizing, and querying hundreds of thousands of SBOMs across an enterprise or agency, without drowning in noise.
Proposed legislation would require SBOMs for all critical infrastructure software. Here's a detailed analysis of the bill and its implications.
The questions CISOs actually ask about software supply chain security in 2026: scope, budget, reporting lines, SBOMs, AI code, and where to start.
AI-BOM is how you describe an AI system's supply chain — models, datasets, prompts, inference environments. Griffin AI ingests it as structured inventory. Mythos-class tools try to talk about AI while remaining blind to the AI systems they describe.
Black Hat USA 2025 highlighted AI-generated code risks, build system attacks, and the maturation of SBOM tooling. Here is what mattered for supply chain teams.
What the FDA's 2026 premarket cybersecurity guidance actually requires for SBOMs, how reviewers evaluate them, and the patterns that cause 510(k) submissions to stall.
An SBOM that arrives after merge is a compliance artifact. An SBOM that shows up in the PR is a security control. Here is how to wire it up without killing velocity.
CISA is moving from SBOM guidance to enforcement in 2026. Here's what the mandate requires and how to prepare.
Weekly insights on software supply chain security, delivered to your inbox.