Safeguard
Tag

reachability-analysis

Safeguard articles tagged "reachability-analysis" — guides, analysis, and best practices for software supply chain and application security.

157 articles

Application Security

PHP code security fundamentals: injection, deserialization, and file inclusion

PHP still powers over 70% of server-side websites, and its three oldest vulnerability classes — injection, deserialization, and file inclusion — remain the most common findings in 2026.

Jul 8, 20267 min read
Vulnerability Management

Prioritizing vulnerabilities by real-world risk, not raw CVSS score

Kenna/Cyentia found just 2.6% of 2019's tracked CVEs were ever actively exploited — yet most teams still triage backlogs by CVSS score alone.

Jul 8, 20267 min read
Supply Chain Attacks

Anatomy of the XZ Utils backdoor: how CVE-2024-3094 nearly compromised SSH on every major Linux distro

A CVSS 10.0 backdoor sat in xz 5.6.0 and 5.6.1 for weeks, hidden in a test file, until 0.5 seconds of extra SSH login latency gave it away.

Jul 8, 20266 min read
Concepts

What Is Reachability Analysis in Security?

Reachability analysis determines whether a vulnerable piece of code can actually be executed from your application — cutting through the noise of vulnerabilities that exist but can never be triggered. Here's how it slashes false positives.

Jul 7, 20267 min read
AI Security

Choosing a security tool for AI-generated code

GitHub reported in 2024 that Copilot writes up to 46% of code in enabled files — the same vulnerability classes humans write, now shipped at machine speed.

Jul 7, 20267 min read
DevSecOps

How to Report AppSec Risk to Your CISO

CVSS measures severity, not risk — and a slide of 4,000 raw findings tells a CISO nothing. Here's how to translate scan output into decisions.

Jul 7, 20267 min read
DevSecOps

Software Composition Analysis Best Practices for Engineering Teams

CVE-2017-5638 was patched by Apache in March 2017, two months before Equifax was breached through it. Point-in-time SCA scans miss exactly this kind of drift.

Jul 7, 20267 min read
FAQ

Software Composition Analysis (SCA): Frequently Asked Questions

A practical FAQ on software composition analysis in 2026 — what SCA scans, how reachability cuts false positives, transitive dependencies, VEX, and how modern SCA differs from legacy scanners.

Jul 1, 20267 min read
Software Supply Chain Security

Software supply chain attack statistics and trends report

Software supply chain attacks keep climbing year over year. Here are the stats, incidents, and trends security teams need to know in 2026.

Jul 1, 20268 min read
Software Supply Chain Security

Understanding the software supply chain attack surface

SolarWinds, Log4Shell, and XZ Utils show the software supply chain attack surface is bigger than any single scan. Here's how to actually map and shrink it.

Jun 29, 20267 min read
Software Supply Chain Security

SBOM as a supply chain defense strategy

SBOMs turn "are we affected?" from a weeks-long fire drill into a query. Here's how they defend against real supply chain attacks like Log4Shell and XZ Utils.

Jun 29, 20267 min read
Software Supply Chain Security

Preventing malicious packages with automated detection

Malicious npm and PyPI packages skip CVEs entirely. Here's how attackers get them published and how automated detection catches them before they ship.

Jun 29, 20266 min read
reachability-analysis (Page 2) — Safeguard Blog