Safeguard
Tag

vulnerability-management

Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.

635 articles

Compliance

CISA's Secure by Design pledge explained

CISA's voluntary Secure by Design pledge has grown from 68 signatories to 300+, but it's unverified and self-reported. Here's what the seven goals really require.

May 10, 20267 min read
Open Source Security

5 risks of using open source software

Five documented open source risks — from Log4Shell to the XZ Utils backdoor — with real incidents, dates, and CVEs, plus how Safeguard closes the gap.

May 9, 20267 min read
Open Source Security

Building an SBOM that meets NTIA minimum elements

A field-by-field breakdown of NTIA's SBOM minimum elements, who's legally required to meet them in 2026, and why conformant fields don't guarantee real dependency coverage.

May 9, 20267 min read
Open Source Security

SPDX vs CycloneDX: comparing SBOM formats

SPDX and CycloneDX both satisfy federal SBOM rules, but they solve different problems. Here's how they actually differ — with real specs, dates, and tooling.

May 8, 20267 min read
Compliance

Audit-readiness for open source usage policies

What auditors actually ask for in an open source usage policy review, what triggers it, and the evidence gaps that turn a written policy into a finding.

May 8, 20266 min read
Compliance

Board-level reporting on application security risk

Boards now face legal disclosure deadlines on cyber risk. Here's what belongs in a board-level appsec report, how often to deliver it, and what the SEC and NYDFS require.

May 7, 20267 min read
Compliance

Cyber insurance requirements for application security programs

Cyber insurers now require SBOMs, patch SLAs, and audit trails for AppSec programs. Here's what carriers actually ask for and how to pass renewal.

May 7, 20266 min read
SecOps

Threat and Vulnerability Management: Building the Program

How to actually build a threat and vulnerability management program, from asset inventory to closed-loop remediation, rather than buying a scanner and calling it done.

May 6, 20265 min read
Vulnerability Analysis

regreSSHion OpenSSH RCE vulnerability CVE-2024-6387

CVE-2024-6387 "regreSSHion" is a signal handler race condition in OpenSSH's sshd enabling unauthenticated root RCE on glibc-based Linux systems.

May 5, 20268 min read
Vulnerability Analysis

Apache Struts remote code execution CVE history

A decade of Apache Struts RCEs — from Equifax's CVE-2017-5638 to 2024's file-upload bypass — traced through CVSS, EPSS, KEV, and fixes.

May 4, 20267 min read
Best Practices

Reducing false positives in security scanning

Most security scan findings never warrant action. Here's why scanners over-alert, what it costs teams, how Aikido's consolidation approach compares, and what actually cuts false positives.

May 4, 20267 min read
Best Practices

SBOMs in 2026: why most organizations generate them but d...

SBOM generation surged ahead of 2026 compliance deadlines, but most SBOMs sit unused after release. Here's why adoption without action still leaves risk unmanaged.

May 3, 20267 min read
vulnerability-management (Page 15) — Safeguard Blog