Safeguard
Tag

vulnerability-management

Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.

635 articles

Application Security

ASPM fundamentals: what application security posture management actually aggregates

Gartner coined the ASPM term in May 2023 and projects over 40% of organizations building software will adopt it by 2026 — here is what it actually does.

Jul 8, 20266 min read
Application Security

What to Evaluate in an ASPM Solution: A 2026 Buyer's Guide

Gartner named Application Security Posture Management a category in May 2023 — three years later, most RFPs still can't distinguish a real ASPM from a dashboard bolted onto old scanners.

Jul 8, 20268 min read
Application Security

ASPM fundamentals for security teams

Gartner projects over 40% of organizations will adopt Application Security Posture Management by 2026 — here's what it actually aggregates and how to judge if yours is working.

Jul 8, 20266 min read
Application Security

A framework for integrating ASPM into an existing AppSec program

Gartner defined ASPM in May 2023 as a correlation layer, not a rip-and-replace — here's how to fold it into a toolchain you already run.

Jul 8, 20266 min read
Application Security

Beyond vulnerability management: a risk-based approach to AppSec

Fewer than 5% of published CVEs are ever exploited in the wild, yet most teams still triage by raw count — here's the exploitability-first alternative.

Jul 8, 20267 min read
Vulnerability Management

Continuous vulnerability management: the discovery-to-verification lifecycle

CISA's new BOD 26-04 gives federal agencies as little as 3 days to remediate the highest-risk flaws — a preview of the SLA pressure every engineering org now faces.

Jul 8, 20267 min read
Vulnerability Management

Inside CVE-2023-46233: How crypto-js Shipped a 1.3-Million-Times-Weaker Key Derivation

crypto-js versions before 4.2.0 defaulted PBKDF2 to SHA1 with a single iteration — NVD calls it 1,300,000 times weaker than modern standards. Here's the fix.

Jul 8, 20266 min read
Vulnerability Management

The CUPS RCE Chain: A Technical Breakdown of CVE-2024-47176

Four medium-severity CUPS bugs chained into unauthenticated RCE on UDP/631 — a masterclass in why CVSS scores per-CVE miss the real risk of a vulnerability chain.

Jul 8, 20266 min read
Vulnerability Management

Inside CVE-2023-38545: the libcurl SOCKS5 heap overflow

A single off-by-length check in curl's SOCKS5 handshake, live for over three years across libcurl 7.69.0–8.3.x, earned a 9.8 CVSS score and a CWE-787 out-of-bounds write.

Jul 8, 20266 min read
Vulnerability Management

CVSS 4.0 vs. 3.1: what actually changed, and why your priority list should too

CVSS 4.0 killed the Scope metric, added Attack Requirements, and split scoring into CVSS-B/BT/BE/BTE labels — here's what that means for triage.

Jul 8, 20266 min read
DevSecOps

The DevSecOps Adoption Leadership Playbook

Datadog's 2026 State of DevSecOps found 87% of organizations have a known-exploited vulnerability live in production — the fix is incentive design, not another mandate.

Jul 8, 20267 min read
Compliance & Frameworks

DORA compliance for application risk management

DORA became fully applicable on 17 January 2025 with no grace period, and its ICT risk-management articles map almost line-for-line onto standard AppSec practice.

Jul 8, 20266 min read
vulnerability-management (Page 3) — Safeguard Blog