Safeguard
Tag

reachability-analysis

Safeguard articles tagged "reachability-analysis" — guides, analysis, and best practices for software supply chain and application security.

157 articles

Vulnerability Management

When CVSS Scoring Misleads Severity Context

Only 2-6% of published CVEs are ever exploited in the wild, yet a much larger share carry CVSS 7.0+ scores — a gap that quietly wrecks patch prioritization.

Jul 16, 20267 min read
Open Source Security

Common Go module vulnerability patterns and how govulncheck helps

Two real CVEs in Go's path/filepath package and a growing SSRF problem in webhook handlers show why Go's safety guarantees don't cover application logic.

Jul 14, 20266 min read
Vulnerability Management

Reachability analysis for vulnerability triage

Only 10-30% of SCA findings are ever actually invoked by your code. Reachability analysis finds which ones, cutting patch backlogs without hiding real risk.

Jul 10, 20265 min read
Vulnerability Management

Vulnerability fatigue and the case for risk-based prioritization

48,185 CVEs were published in 2025 alone. Most teams can't triage that volume — reachability and exploit maturity data show which ones actually matter.

Jul 10, 20267 min read
Application Security

AI-driven DAST for modern applications

73% of open-source developers now use AI coding tools. Dynamic testing built for nightly crawls can't keep pace with apps that reshape their attack surface daily.

Jul 9, 20267 min read
Application Security

Reducing false positives in SAST and SCA tools

NIST benchmark data puts some SAST false-positive rates near 78%. Reachability analysis and contextual triage are how teams cut that noise without missing real risk.

Jul 9, 20266 min read
Vulnerability Management

SBOM-based blast radius analysis for vulnerable dependencies

An SBOM tells you what's inside one artifact. It takes a dependency graph across every service to know what breaks first when a library gets a CVE.

Jul 9, 20266 min read
Vulnerability Management

A prioritization framework for triaging security alerts at scale

Only 2.6% of CVEs tracked in 2019 saw real-world exploitation, per Kenna Security/Cyentia — yet most teams still triage by CVSS alone. Here's a better framework.

Jul 9, 20267 min read
Best Practices

The real ROI of shifting left: what early flaw detection actually saves

A 2025 data breach averages $4.44M globally and $10.22M in the US. Here's a defensible cost model for catching flaws before they ship, not after.

Jul 9, 20266 min read
AI Security

Where AI actually helps AppSec — and where it quietly makes things worse

One 2025 benchmark found an LLM filter cut Semgrep's false positives by 88.6% — while a separate study found GPT-4 alone flagging vulnerabilities was wrong more often than right.

Jul 8, 20267 min read
Application Security

Bytecode vs. source analysis: static analysis techniques for Java and Kotlin

SpotBugs scans compiled .class files for 400+ bug patterns; Semgrep parses source directly. Neither alone would have caught CVE-2015-7501 fast enough.

Jul 8, 20265 min read
AI Security

Mapping the blast radius of a vulnerable AI infrastructure dependency

One Ray dashboard flaw let attackers hit hundreds of exposed AI servers. SBOM plus call-graph data is how you find every service that shares the exposure.

Jul 8, 20266 min read
reachability-analysis — Safeguard Blog