vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
626 articles
CVE-2021-45105: the Log4j denial-of-service flaw recursion built
CVE-2021-45105 scored CVSS 5.9 and let a single crafted lookup string crash a JVM with a StackOverflowError — no RCE required, just uncontrolled recursion.
When CVSS Scoring Misleads Severity Context
Only 2-6% of published CVEs are ever exploited in the wild, yet a much larger share carry CVSS 7.0+ scores — a gap that quietly wrecks patch prioritization.
Building an OSPO security governance model for license and vulnerability risk
77% of large organizations now run an OSPO, and 91% say it owns security issues — but most still track license and CVE risk in separate spreadsheets.
Security metrics and KPIs that actually indicate cloud program maturity
IBM's 2024 breach data puts the average breach lifecycle at 258 days — most cloud security dashboards can't even tell you your own exposure window.
CVE-2022-31692: how a forward dispatch bypassed Spring Security authorization
A CVSS 9.8 flaw let a single internal forward skip Spring Security's URL-based access checks entirely — here's the root cause and the exact config fix.
A patching playbook for critical open-source CVEs
Heartbleed, the OpenSSL punycode bug, and XZ Utils each broke a different assumption in incident response. Here's an SLA-driven playbook that survives all three.
Text4Shell deep dive: how CVE-2022-42889 turned string formatting into RCE
CVSS 9.8. Apache Commons Text 1.5–1.9 ran attacker strings through a script interpolator by default — here's the root cause and the fix.
Building security programs with limited headcount
The developer-to-security ratio is roughly 100:1. A framework for scaling AppSec impact through automation and enablement when hiring isn't the answer.
The Four Most Common Docker Image Vulnerabilities (And How to Fix Them)
Sysdig found 76% of containers still run as root — one of four Docker image flaws that turn a routine build into a host compromise.
Inside the OpenSSL punycode bug: why CVE-2022-3602 wasn't Heartbleed
OpenSSL pre-announced a 'critical' flaw in October 2022. It shipped as HIGH severity. Here's the buffer overflow, the downgrade, and the safe patch path.
CVE-2022-33980: Interpolation-Based RCE in Apache Commons Configuration
A CVSS 9.8 flaw in Apache Commons Configuration 2.4–2.7 let default interpolators run script-engine expressions from untrusted config strings.
Reachability analysis for vulnerability triage
Only 10-30% of SCA findings are ever actually invoked by your code. Reachability analysis finds which ones, cutting patch backlogs without hiding real risk.