vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
CISA's Secure by Design pledge explained
CISA's voluntary Secure by Design pledge has grown from 68 signatories to 300+, but it's unverified and self-reported. Here's what the seven goals really require.
5 risks of using open source software
Five documented open source risks — from Log4Shell to the XZ Utils backdoor — with real incidents, dates, and CVEs, plus how Safeguard closes the gap.
Building an SBOM that meets NTIA minimum elements
A field-by-field breakdown of NTIA's SBOM minimum elements, who's legally required to meet them in 2026, and why conformant fields don't guarantee real dependency coverage.
SPDX vs CycloneDX: comparing SBOM formats
SPDX and CycloneDX both satisfy federal SBOM rules, but they solve different problems. Here's how they actually differ — with real specs, dates, and tooling.
Audit-readiness for open source usage policies
What auditors actually ask for in an open source usage policy review, what triggers it, and the evidence gaps that turn a written policy into a finding.
Board-level reporting on application security risk
Boards now face legal disclosure deadlines on cyber risk. Here's what belongs in a board-level appsec report, how often to deliver it, and what the SEC and NYDFS require.
Cyber insurance requirements for application security programs
Cyber insurers now require SBOMs, patch SLAs, and audit trails for AppSec programs. Here's what carriers actually ask for and how to pass renewal.
Threat and Vulnerability Management: Building the Program
How to actually build a threat and vulnerability management program, from asset inventory to closed-loop remediation, rather than buying a scanner and calling it done.
regreSSHion OpenSSH RCE vulnerability CVE-2024-6387
CVE-2024-6387 "regreSSHion" is a signal handler race condition in OpenSSH's sshd enabling unauthenticated root RCE on glibc-based Linux systems.
Apache Struts remote code execution CVE history
A decade of Apache Struts RCEs — from Equifax's CVE-2017-5638 to 2024's file-upload bypass — traced through CVSS, EPSS, KEV, and fixes.
Reducing false positives in security scanning
Most security scan findings never warrant action. Here's why scanners over-alert, what it costs teams, how Aikido's consolidation approach compares, and what actually cuts false positives.
SBOMs in 2026: why most organizations generate them but d...
SBOM generation surged ahead of 2026 compliance deadlines, but most SBOMs sit unused after release. Here's why adoption without action still leaves risk unmanaged.