Safeguard
Tag

vulnerability-management

Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.

626 articles

Vulnerability Management

CVE-2021-45105: the Log4j denial-of-service flaw recursion built

CVE-2021-45105 scored CVSS 5.9 and let a single crafted lookup string crash a JVM with a StackOverflowError — no RCE required, just uncontrolled recursion.

Jul 16, 20266 min read
Vulnerability Management

When CVSS Scoring Misleads Severity Context

Only 2-6% of published CVEs are ever exploited in the wild, yet a much larger share carry CVSS 7.0+ scores — a gap that quietly wrecks patch prioritization.

Jul 16, 20267 min read
Open Source Security

Building an OSPO security governance model for license and vulnerability risk

77% of large organizations now run an OSPO, and 91% say it owns security issues — but most still track license and CVE risk in separate spreadsheets.

Jul 15, 20266 min read
Cloud Security

Security metrics and KPIs that actually indicate cloud program maturity

IBM's 2024 breach data puts the average breach lifecycle at 258 days — most cloud security dashboards can't even tell you your own exposure window.

Jul 15, 20267 min read
Vulnerability Management

CVE-2022-31692: how a forward dispatch bypassed Spring Security authorization

A CVSS 9.8 flaw let a single internal forward skip Spring Security's URL-based access checks entirely — here's the root cause and the exact config fix.

Jul 15, 20266 min read
Supply Chain Security

A patching playbook for critical open-source CVEs

Heartbleed, the OpenSSL punycode bug, and XZ Utils each broke a different assumption in incident response. Here's an SLA-driven playbook that survives all three.

Jul 13, 20266 min read
Vulnerability Management

Text4Shell deep dive: how CVE-2022-42889 turned string formatting into RCE

CVSS 9.8. Apache Commons Text 1.5–1.9 ran attacker strings through a script interpolator by default — here's the root cause and the fix.

Jul 12, 20266 min read
DevSecOps

Building security programs with limited headcount

The developer-to-security ratio is roughly 100:1. A framework for scaling AppSec impact through automation and enablement when hiring isn't the answer.

Jul 12, 20266 min read
Container Security

The Four Most Common Docker Image Vulnerabilities (And How to Fix Them)

Sysdig found 76% of containers still run as root — one of four Docker image flaws that turn a routine build into a host compromise.

Jul 12, 20266 min read
Vulnerability Management

Inside the OpenSSL punycode bug: why CVE-2022-3602 wasn't Heartbleed

OpenSSL pre-announced a 'critical' flaw in October 2022. It shipped as HIGH severity. Here's the buffer overflow, the downgrade, and the safe patch path.

Jul 12, 20265 min read
Vulnerability Management

CVE-2022-33980: Interpolation-Based RCE in Apache Commons Configuration

A CVSS 9.8 flaw in Apache Commons Configuration 2.4–2.7 let default interpolators run script-engine expressions from untrusted config strings.

Jul 11, 20267 min read
Vulnerability Management

Reachability analysis for vulnerability triage

Only 10-30% of SCA findings are ever actually invoked by your code. Reachability analysis finds which ones, cutting patch backlogs without hiding real risk.

Jul 10, 20265 min read
vulnerability-management — Safeguard Blog