Vulnerability Management
In-depth guides and analysis on vulnerability management from the Safeguard engineering team.
133 articles
Static Analysis False-Positive Reduction
A technique-by-technique tour of how modern static analyzers cut false positives, from CodeQL's path pruning to Infer's bi-abduction.
NuGet Package Vulnerabilities Dashboard
Listing every CVE in your NuGet dependency tree is easy. Turning it into a dashboard someone can act on is the work. A practical design.
Fuzzing Open Source for Supply Chain Findings
How modern coverage-guided fuzzing finds real vulnerabilities in open-source dependencies, and how to fold it into a supply-chain security program.
Mean Time to Remediation Benchmarks: How Fast Should You Be Patching?
MTTR is the most important vulnerability management metric. But what is a good MTTR? Industry benchmarks, realistic targets, and strategies for improvement.
bundler-audit Production Setup
A practical guide to running bundler-audit in production CI pipelines, including advisory database updates, exception handling, and integration with remediation workflows.
Symbolic Execution for Dependency Analysis
Symbolic execution explores program paths without concrete inputs. For supply-chain work, it answers reachability questions that fuzzing cannot.
False Positive Rates in Container Scanning: Why Your Scanner Lies to You
Container scanners produce mountains of findings. A significant percentage are false positives. Here is how to measure and manage the noise.
Coordinated Vulnerability Disclosure: A Complete Guide
Coordinated disclosure protects users while giving vendors time to fix. Here is how to run a disclosure process that works for all parties, whether you are the reporter or the vendor.
Taint Analysis for Zero-Day Discovery: A Primer
A practitioner's walk-through of taint analysis as a zero-day discovery technique, from classic Livshits and Lam foundations to modern flow-sensitive engines.
Palo Alto GlobalProtect Zero-Day: Response Timeline
CVE-2024-3400 hit GlobalProtect with pre-auth RCE and ongoing exploitation. Here is the response timeline, the UPSTYLE tradecraft, and what worked.
CISA KEV Catalog Growth: A 2024 Q1 Analysis
CISA added 40+ CVEs to the Known Exploited Vulnerabilities catalog in Q1 2024. We break down the vendor mix, the edge-device bias, and what to prioritize.
PDF Supply Chain Attack Vectors: When Documents Become Weapons
PDFs are trusted by default in most organizations. That trust makes them a potent vector for supply chain attacks. Here is how the attacks work.