vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
What is a known vulnerability?
A known vulnerability is a publicly disclosed, CVE-tracked flaw — and disclosure alone doesn't mean it's fixed, patched, or harmless.
Understanding CVSS scoring for vulnerabilities
CVSS scores run 0-10, but a 9.8 doesn't always mean patch tonight. Here's how base scores are calculated and why context beats the number.
Application Security Management: Programs That Actually Work
What separates an application security management program that actually reduces risk from one that just generates dashboards, based on where ownership and monitoring break down.
Vulnerability vs weakness: CVE vs CWE explained
CVE identifies one specific vulnerability; CWE identifies the weakness pattern behind it. Here's how the two taxonomies connect and why both matter.
Vulnerability scanning tools and techniques compared
A verifiable comparison of Safeguard and JFrog Xray on scan coverage, data sourcing, reachability analysis, and CI/CD integration for vulnerability scanning.
CVE Numbering Authority (CNA) status: why it matters when...
JFrog has issued its own CVEs since 2021 as a CVE Numbering Authority. Here's what CNA status really controls, where it falls short, and how to verify vendor-disclosed vulnerabilities.
Zip Slip vulnerability cheat sheet
A concrete, question-driven cheat sheet on Zip Slip: how the archive-extraction path traversal bug works, real CVEs, and how to detect and fix it.
What is a Software Bill of Materials (SBOM) and why it ma...
A software bill of materials (SBOM) is a live inventory of every dependency in your software. Here's why it matters, how JFrog handles it, and how Safeguard does better.
Software Composition Analysis (SCA) explained: how it fin...
SCA scans your dependency tree against CVE databases to catch vulnerable open-source packages like Log4Shell before they reach production.
10 Java security best practices
10 Java security best practices security teams should enforce across dependency management, deserialization, injection, secrets, and build pipelines.
CVE explained: how vulnerabilities get identified and scored
A CVE ID and its CVSS score come from different organizations entirely. Here's how identification and severity scoring actually work, using Log4Shell and the 2024 NVD backlog as examples.
Go security cheat sheet for developers
A practical Go security cheat sheet: the real vulnerability classes, must-patch stdlib CVEs, and dependency scanning tactics developers need to know.