vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
ASPM fundamentals: what application security posture management actually aggregates
Gartner coined the ASPM term in May 2023 and projects over 40% of organizations building software will adopt it by 2026 — here is what it actually does.
What to Evaluate in an ASPM Solution: A 2026 Buyer's Guide
Gartner named Application Security Posture Management a category in May 2023 — three years later, most RFPs still can't distinguish a real ASPM from a dashboard bolted onto old scanners.
ASPM fundamentals for security teams
Gartner projects over 40% of organizations will adopt Application Security Posture Management by 2026 — here's what it actually aggregates and how to judge if yours is working.
A framework for integrating ASPM into an existing AppSec program
Gartner defined ASPM in May 2023 as a correlation layer, not a rip-and-replace — here's how to fold it into a toolchain you already run.
Beyond vulnerability management: a risk-based approach to AppSec
Fewer than 5% of published CVEs are ever exploited in the wild, yet most teams still triage by raw count — here's the exploitability-first alternative.
Continuous vulnerability management: the discovery-to-verification lifecycle
CISA's new BOD 26-04 gives federal agencies as little as 3 days to remediate the highest-risk flaws — a preview of the SLA pressure every engineering org now faces.
Inside CVE-2023-46233: How crypto-js Shipped a 1.3-Million-Times-Weaker Key Derivation
crypto-js versions before 4.2.0 defaulted PBKDF2 to SHA1 with a single iteration — NVD calls it 1,300,000 times weaker than modern standards. Here's the fix.
The CUPS RCE Chain: A Technical Breakdown of CVE-2024-47176
Four medium-severity CUPS bugs chained into unauthenticated RCE on UDP/631 — a masterclass in why CVSS scores per-CVE miss the real risk of a vulnerability chain.
Inside CVE-2023-38545: the libcurl SOCKS5 heap overflow
A single off-by-length check in curl's SOCKS5 handshake, live for over three years across libcurl 7.69.0–8.3.x, earned a 9.8 CVSS score and a CWE-787 out-of-bounds write.
CVSS 4.0 vs. 3.1: what actually changed, and why your priority list should too
CVSS 4.0 killed the Scope metric, added Attack Requirements, and split scoring into CVSS-B/BT/BE/BTE labels — here's what that means for triage.
The DevSecOps Adoption Leadership Playbook
Datadog's 2026 State of DevSecOps found 87% of organizations have a known-exploited vulnerability live in production — the fix is incentive design, not another mandate.
DORA compliance for application risk management
DORA became fully applicable on 17 January 2025 with no grace period, and its ICT risk-management articles map almost line-for-line onto standard AppSec practice.