Merge pull request #30 from shiftleftcyber/2026-01-05-blogpost

j28smith · web-flow · commit a7d2928a30c7 · 2026-01-07T14:41:23.000-05:00
Adding latest blog post
diff --git a/marketing/.markdownlint.json b/marketing/.markdownlint.json
@@ -0,0 +1,9 @@
+{
+  "MD013": {
+    "line_length": 120,
+    "code_blocks": false
+  },
+  "MD033": {
+    "allowed_elements": ["abbr"]
+  }
+}
diff --git a/marketing/content/blog/2026-01-05-enisa-thoughts.md b/marketing/content/blog/2026-01-05-enisa-thoughts.md
@@ -0,0 +1,57 @@
++++
+author = "Jason Smith"
+title = "Thoughts on ENISA's New SBOM Implementation Guide 🤔"
+date = "2026-01-05"
+linkedin = "https://www.linkedin.com/posts/j28smith_sbom-landscape-analysis-towards-an-implementation-activity-7414054620387393537-6hHA?utm_source=share&utm_medium=member_desktop&rcm=ACoAACKV2pcBRuHTsaPyNlOHthAchD5xLArHEmo"
+image = "img/thirdparty/2026-01-05-enisa-sbom-landscape-analysis.png"
++++
+
+I've been diving into the
+[<abbr title="European Union Agency for Cybersecurity">ENISA</abbr>](https://www.enisa.europa.eu/) recent Call for
+Feedback on their <abbr title="Software Bill of Materials">SBOM</abbr> Landscape Analysis: Towards an Implementation
+Guide.
+
+It's refreshing to see a guide that prioritizes practicality over just theoretical compliance. While earlier frameworks
+from [<abbr title="Cybersecurity and Infrastructure Security Agency">CISA</abbr>](https://www.cisa.gov/) and
+[<abbr title="National Telecommunications and Information Administration">NTIA</abbr>](https://www.ntia.gov/) were vital
+for setting the baseline and minimum requirements, <abbr title="European Union Agency for Cybersecurity">ENISA</abbr> is
+taking us further into the "how-to" for real-world environments, especially for resource-constrained organizations.
+
+My top highlights:
+
+1️⃣ Practical "How-to": It provides structured implementation phases (Initiation, Planning, Execution, Monitoring &
+Controlling, and Closure) rather than just a list of required fields.
+
+2️⃣ <abbr title="Software Bill of Materials">SBOM</abbr> Signing is Front and Center: It treats cryptographic signing as
+a core requirement (and not optional) for establishing software provenance and integrity.
+
+3️⃣ Built-in <abbr title="Continuous Integration/Continuous Delivery">CI/CD</abbr> Integration with Examples: Includes
+specific automation hooks for GitHub Actions and GitLab <abbr title="Continuous Integration">CI</abbr> (using tools like
+Syft/Cosign) to ensure <abbr title="Software Bill of Materials">SBOMs</abbr> are generated and signed at the "Build-Time"
+stage when they are most accurate.
+
+4️⃣ Focus on Quality: Provides a clear Completeness Assessment Framework with specific "Minimum vs. Excellence"
+thresholds (for example, aiming for 95%+ transitive dependency visibility). It also introduces a three-layered validation
+approach (Structural, Content, and Semantic) to ensure the data is accurate, not just present.
+
+5️⃣ The "Validation Gate": Moves beyond just making an <abbr title="Software Bill of Materials">SBOM</abbr> to verifying
+it before deployment to include automated checks for digital signature verification, hash consistency, and timestamp
+verification to ensure signatures are still valid at the time of deployment.
+
+Supply chain security is a team sport, and this guide provides the playbook we've been waiting for.
+
+A couple of additional tools to call out that it didn't specifically include that I would recommend:
+
+1️⃣ <abbr title="Software Bill of Materials">SBOM</abbr> Signing: SecureSBOM from ShiftLeftCyber
+🔗 [https://shiftleftcyber.io/securesbom/](https://shiftleftcyber.io/securesbom/)
+
+2️⃣ <abbr title="Software Bill of Materials">SBOM</abbr> Quality: sbomqs from Interlynk
+🔗 [https://github.com/interlynk-io/sbomqs](https://github.com/interlynk-io/sbomqs)
+
+Check out the draft and share your feedback with <abbr title="European Union Agency for Cybersecurity">ENISA</abbr> by
+January 23!
+
+🔗 [https://www.enisa.europa.eu/news/call-for-feedback-advancing-software-supply-chain-security-together](https://www.enisa.europa.eu/news/call-for-feedback-advancing-software-supply-chain-security-together)
+
+\#SBOM \#SupplyChainSecurity \#CyberSecurity \#ENISA \#SecureSBOM \#CyberResilienceAct \#CRA \#DevSecOps
+\#SupplyChainIntegrity \#SoftwareProvenance
diff --git a/marketing/hugo.toml b/marketing/hugo.toml
@@ -18,7 +18,7 @@ googleAnalytics = "G-CR0HB4HF2K"
 
 [markup]
   [markup.goldmark]
-    [markup.renderer]
+    [markup.goldmark.renderer]
       unsafe = true
 
 [params]
diff --git a/marketing/static/img/thirdparty/2026-01-05-enisa-sbom-landscape-analysis.png b/marketing/static/img/thirdparty/2026-01-05-enisa-sbom-landscape-analysis.png
