reachability-analysis
Safeguard articles tagged "reachability-analysis" — guides, analysis, and best practices for software supply chain and application security.
157 articles
When CVSS Scoring Misleads Severity Context
Only 2-6% of published CVEs are ever exploited in the wild, yet a much larger share carry CVSS 7.0+ scores — a gap that quietly wrecks patch prioritization.
Common Go module vulnerability patterns and how govulncheck helps
Two real CVEs in Go's path/filepath package and a growing SSRF problem in webhook handlers show why Go's safety guarantees don't cover application logic.
Reachability analysis for vulnerability triage
Only 10-30% of SCA findings are ever actually invoked by your code. Reachability analysis finds which ones, cutting patch backlogs without hiding real risk.
Vulnerability fatigue and the case for risk-based prioritization
48,185 CVEs were published in 2025 alone. Most teams can't triage that volume — reachability and exploit maturity data show which ones actually matter.
AI-driven DAST for modern applications
73% of open-source developers now use AI coding tools. Dynamic testing built for nightly crawls can't keep pace with apps that reshape their attack surface daily.
Reducing false positives in SAST and SCA tools
NIST benchmark data puts some SAST false-positive rates near 78%. Reachability analysis and contextual triage are how teams cut that noise without missing real risk.
SBOM-based blast radius analysis for vulnerable dependencies
An SBOM tells you what's inside one artifact. It takes a dependency graph across every service to know what breaks first when a library gets a CVE.
A prioritization framework for triaging security alerts at scale
Only 2.6% of CVEs tracked in 2019 saw real-world exploitation, per Kenna Security/Cyentia — yet most teams still triage by CVSS alone. Here's a better framework.
The real ROI of shifting left: what early flaw detection actually saves
A 2025 data breach averages $4.44M globally and $10.22M in the US. Here's a defensible cost model for catching flaws before they ship, not after.
Where AI actually helps AppSec — and where it quietly makes things worse
One 2025 benchmark found an LLM filter cut Semgrep's false positives by 88.6% — while a separate study found GPT-4 alone flagging vulnerabilities was wrong more often than right.
Bytecode vs. source analysis: static analysis techniques for Java and Kotlin
SpotBugs scans compiled .class files for 400+ bug patterns; Semgrep parses source directly. Neither alone would have caught CVE-2015-7501 fast enough.
Mapping the blast radius of a vulnerable AI infrastructure dependency
One Ray dashboard flaw let attackers hit hundreds of exposed AI servers. SBOM plus call-graph data is how you find every service that shares the exposure.