Why SBOMs, signing, and provenance still don’t tell you if software is safe

Jul 13, 2026 - 09:15
Why SBOMs, signing, and provenance still don’t tell you if software is safe

We have made real progress in software supply chain security, improving visibility into software components, authenticity and build integrity. Much of this progress traces back to Executive Order 14028, which pushed agencies, contractors and enterprises to invest in SBOMs, signing and provenance. All of that matters, but it is not enough. The current software trust model still stops short of the question that determines risk at execution: What is this code capable of doing if … More

The post Why SBOMs, signing, and provenance still don’t tell you if software is safe appeared first on Help Net Security.