Safeguard
Topic

Vulnerability Management

In-depth guides and analysis on vulnerability management from the Safeguard engineering team.

133 articles

Vulnerability Management

Prioritizing vulnerabilities by real-world risk, not raw CVSS score

Kenna/Cyentia found just 2.6% of 2019's tracked CVEs were ever actively exploited — yet most teams still triage backlogs by CVSS score alone.

Jul 8, 20267 min read
Vulnerability Management

CVE-2022-1471: Inside the SnakeYaml Deserialization RCE

CVE-2022-1471 scored 9.8 CRITICAL under NIST's CVSS calculation — a single YAML tag could hand attackers remote code execution in any Java app parsing untrusted input.

Jul 8, 20265 min read
Vulnerability Management

How task-scheduler RCEs become cryptomining botnets

Two chained Apache Airflow CVEs and a Rundeck YAML deserialization bug show how scheduler tools turn one flaw into unauthenticated RCE and persistent mining.

Jul 8, 20266 min read
Vulnerability Management

Using EPSS scores for vulnerability remediation prioritization

EPSS predicts exploitation probability for every CVE on a 0-1 scale, updated daily. Paired with CVSS, it turns a 1,000-ticket backlog into a short, defensible list.

Jul 8, 20267 min read
Vulnerability Management

CWE vs. CVE vs. CVSS: The Vocabulary Every AppSec Team Gets Wrong

One CWE weakness class can spawn thousands of CVEs, and a single CVE can now carry two different CVSS scores at once — most teams still use the terms interchangeably.

Jul 8, 20267 min read
Vulnerability Management

The libwebp heap overflow that patched half the internet: CVE-2023-4863

One heap buffer overflow in a 15-year-old image codec forced Chrome, Firefox, Edge, Electron apps, and entire Linux distros to ship emergency patches within days.

Jul 8, 20266 min read
Vulnerability Management

Reachability-based vulnerability prioritization (Polaris ...

Reachability analysis cuts CVE noise by confirming which vulnerabilities are exploitable. Here's how Black Duck's Polaris reachability compares to Safeguard's pipeline-native approach.

Jun 15, 20268 min read
Vulnerability Management

AppSec program consolidation: reducing tool sprawl

AppSec tool sprawl is a consolidation problem, not just a vendor-count problem. A look at Black Duck's product lineage versus Safeguard's unified scanning pipeline.

Jun 13, 20268 min read
Vulnerability Management

Vulnerability scanning tools and techniques compared

A verifiable comparison of Safeguard and JFrog Xray on scan coverage, data sourcing, reachability analysis, and CI/CD integration for vulnerability scanning.

Jun 1, 20268 min read
Vulnerability Management

CVE Numbering Authority (CNA) status: why it matters when...

JFrog has issued its own CVEs since 2021 as a CVE Numbering Authority. Here's what CNA status really controls, where it falls short, and how to verify vendor-disclosed vulnerabilities.

May 29, 20267 min read
Vulnerability Management

CVE explained: how vulnerabilities get identified and scored

A CVE ID and its CVSS score come from different organizations entirely. Here's how identification and severity scoring actually work, using Log4Shell and the 2024 NVD backlog as examples.

May 27, 20267 min read
Vulnerability Management

CVSS scoring explained, and where severity scores go wrong

CVSS score explained through a real case where CVSS, EPSS, and KEV disagreed, showing why severity alone misleads prioritization decisions.

May 27, 20268 min read
Vulnerability Management (Page 3) — Supply Chain Security Blog | Safeguard