reachability-analysis
Safeguard articles tagged "reachability-analysis" — guides, analysis, and best practices for software supply chain and application security.
157 articles
PHP code security fundamentals: injection, deserialization, and file inclusion
PHP still powers over 70% of server-side websites, and its three oldest vulnerability classes — injection, deserialization, and file inclusion — remain the most common findings in 2026.
Prioritizing vulnerabilities by real-world risk, not raw CVSS score
Kenna/Cyentia found just 2.6% of 2019's tracked CVEs were ever actively exploited — yet most teams still triage backlogs by CVSS score alone.
Anatomy of the XZ Utils backdoor: how CVE-2024-3094 nearly compromised SSH on every major Linux distro
A CVSS 10.0 backdoor sat in xz 5.6.0 and 5.6.1 for weeks, hidden in a test file, until 0.5 seconds of extra SSH login latency gave it away.
What Is Reachability Analysis in Security?
Reachability analysis determines whether a vulnerable piece of code can actually be executed from your application — cutting through the noise of vulnerabilities that exist but can never be triggered. Here's how it slashes false positives.
Choosing a security tool for AI-generated code
GitHub reported in 2024 that Copilot writes up to 46% of code in enabled files — the same vulnerability classes humans write, now shipped at machine speed.
How to Report AppSec Risk to Your CISO
CVSS measures severity, not risk — and a slide of 4,000 raw findings tells a CISO nothing. Here's how to translate scan output into decisions.
Software Composition Analysis Best Practices for Engineering Teams
CVE-2017-5638 was patched by Apache in March 2017, two months before Equifax was breached through it. Point-in-time SCA scans miss exactly this kind of drift.
Software Composition Analysis (SCA): Frequently Asked Questions
A practical FAQ on software composition analysis in 2026 — what SCA scans, how reachability cuts false positives, transitive dependencies, VEX, and how modern SCA differs from legacy scanners.
Software supply chain attack statistics and trends report
Software supply chain attacks keep climbing year over year. Here are the stats, incidents, and trends security teams need to know in 2026.
Understanding the software supply chain attack surface
SolarWinds, Log4Shell, and XZ Utils show the software supply chain attack surface is bigger than any single scan. Here's how to actually map and shrink it.
SBOM as a supply chain defense strategy
SBOMs turn "are we affected?" from a weeks-long fire drill into a query. Here's how they defend against real supply chain attacks like Log4Shell and XZ Utils.
Preventing malicious packages with automated detection
Malicious npm and PyPI packages skip CVEs entirely. Here's how attackers get them published and how automated detection catches them before they ship.