Merge pull request #17 from shiftleftcyber/feat/addSecureSbomVSSigstore

feat: add Cosign comparison

Author: VinnyBarton

marketing/content/securesbom_vs_sigstore.md

@@ -0,0 +1,76 @@
+---
+title: "SecureSBOM vs Sigstore"
+description: "A side-by-side comparison between SecureSBOM and Sigstore across key criteria such as use cases, SBOM support, key management, and authentication."
+date: 2025-10-20
+draft: false
+---
+
+A detailed comparison of **SecureSBOM** and **Sigstore**, two solutions addressing software supply chain integrity through signing and verification technologies.  
+While **Sigstore** focuses primarily on open-source projects and OCI artifacts, **SecureSBOM** is built for enterprise-grade SBOM signing, verification, and compliance.
+
+---
+
+## 🧩 Primary Use Case
+
+| Tool | Description |
+|------|--------------|
+| **SecureSBOM** | Business / Enterprise Software, purpose-built for SBOM signing and verification. |
+| **Sigstore** | Open Source Software, OCI-Focused (SBOMs attached as a container artifact). |
+
+---
+
+## 📘 SBOM Support
+
+| Tool | Description |
+|------|--------------|
+| **SecureSBOM** | Integrates directly with the **CycloneDX SBOM format** — supports **embedded signatures**, **property exclusion**, and also supports **SPDX detached signatures**. |
+| **Sigstore** | Treats all SBOMs as simple blobs. Supports **detached signatures only** for both SPDX and CycloneDX. |
+
+---
+
+## 🔐 Key Management
+
+| Tool | Description |
+|------|--------------|
+| **SecureSBOM** | **Automated** key lifecycle management using **HSMs**. Ideal for enterprise compliance and long-term trust. |
+| **Sigstore** | Ephemeral, short-lived keys/certificates from **Fulcio** with **OIDC authentication** — or manual key management (local or via cloud providers like GCP/AWS). |
+
+---
+
+## 🪪 Authentication
+
+| Tool | Description |
+|------|--------------|
+| **SecureSBOM** | Authenticated via **API Key**, enabling fine-grained access control and multi-tenant isolation. |
+| **Sigstore** | OIDC (for keyless signing) or external, self-managed authentication mechanisms. |
+
+---
+
+## 🔍 Transparency
+
+| Tool | Description |
+|------|--------------|
+| **SecureSBOM** | **Private Record** system — verification performed using the **associated public key**, keeping enterprise signing activity confidential. |
+| **Sigstore** | Public record via public transparency logs. Verification relies on public keys and the public transparency logs. |
+
+---
+
+## 🧠 Summary
+
+- **SecureSBOM** focuses on enterprise adoption, providing stronger SBOM format integration, private key isolation, HSM-backed signing, and internal verification capabilities.
+- **Sigstore** simplifies signing for open-source projects and CI/CD pipelines relying on OIDC identity proof and public transparency.
+
+---
+
+### ✅ Ideal Fit
+
+| Use Case | Recommended Solution |
+|-----------|----------------------|
+| Enterprise Software & Closed Source/Private Projects | **SecureSBOM** |
+| Open Source Projects | **Sigstore** |
+
+---
+
+Want to learn more?  
+- [SecureSBOM Overview](/securesbom)  
+- [Sigstore Project](https://sigstore.dev)

marketing/hugo.toml

@@ -61,6 +61,12 @@ googleAnalytics = "G-CR0HB4HF2K"
     url = "/securesbom/"
     weight = 1
 
+  [[menu.main]]
+    identifier = "securesbom_vs_cosign"
+    name = "SecureSBOM vs Sigstore"
+    url = "/securesbom_vs_sigstore/"
+    weight = 2
+
   # ToDo - Add this back in when we have a better grasp of our professional services
   #[[menu.main]]
   #  identifier = "products"
@@ -72,19 +78,19 @@ googleAnalytics = "G-CR0HB4HF2K"
     identifier = "blog"
     name = "Blog"
     url = "/blog/"
-    weight = 3
+    weight = 4
 
   [[menu.main]]
     identifier = "about"
     name = "About"
     url = "/about/"
-    weight = 4
+    weight = 5
 
   [[menu.main]]
     identifier = "contact"
     name = "Contact"
     url = "/contactus/"
-    weight = 5
+    weight = 6
 
   # Footer Menu
   [[menu.footer]]