Safeguard
Tag

vulnerability-management

Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.

635 articles

Supply Chain Security

Enriching SBOMs with Vulnerability and License Metadata

A base SBOM only lists what's in your build — OSV.dev, EPSS, and OpenSSF Scorecard turn that inventory into a prioritized risk decision.

Jul 8, 20267 min read
Best Practices

Ethical hacking techniques, mapped to a responsible disclosure workflow

Recon, enumeration, exploitation, and privilege escalation aren't just attacker steps — Log4Shell's 15-day gap between private report and public exploit shows why each maps to a disclosure decision.

Jul 8, 20266 min read
Vulnerability Management

Exploitability vs. breakability: a practical rubric for vulnerability triage

CVSS says a flaw could be bad. CISA's KEV catalog, now past 1,300 entries, says one actually was exploited. Most teams still triage as if the two are the same.

Jul 8, 20267 min read
Vulnerability Management

HTTP/2 CONTINUATION Flood: Inside CVE-2024-27316 and the Frame-Based DoS Class

A single TCP connection with no END_HEADERS flag was enough to crash major HTTP/2 servers — worse than Rapid Reset, and it took the industry a decade to check for it.

Jul 8, 20267 min read
Vulnerability Management

HTTP/2 Rapid Reset: inside CVE-2023-44487

A single HTTP/2 feature let attackers hit 398 million requests per second. Here's how Rapid Reset (CVE-2023-44487) broke nearly every major web server at once.

Jul 8, 20266 min read
Vulnerability Management

Log4Shell and Spring4Shell, years later: why the same bug keeps coming back

CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.

Jul 8, 20266 min read
AI Security

Mapping the blast radius of a vulnerable AI infrastructure dependency

One Ray dashboard flaw let attackers hit hundreds of exposed AI servers. SBOM plus call-graph data is how you find every service that shares the exposure.

Jul 8, 20266 min read
Vulnerability Management

The 10 most common code-level vulnerability classes, ranked by real-world data

MITRE's 2025 CWE Top 25 scored 39,080 CVEs — cross-site scripting still ranks #1, but Missing Authorization jumped five spots. Here's how to prevent each class.

Jul 8, 20268 min read
Compliance & Frameworks

Mapping NIST CSF 2.0 to your AppSec program

NIST CSF 2.0 added a sixth function, Govern, in February 2024 — most AppSec teams still map their tooling to only three of the six.

Jul 8, 20266 min read
Vulnerability Management

NVD's enrichment backlog and how to build a multi-source vuln database strategy

NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.

Jul 8, 20266 min read
Vulnerability Management

What PHP's use-after-free bugs teach us about dynamic-runtime memory safety

Check Point disclosed three PHP 7 unserialize zero-days in 2016 alone. A decade of PHP use-after-free CVEs shows memory-safety risk doesn't end at the C/C++ boundary.

Jul 8, 20266 min read
Vulnerability Management

Prioritizing vulnerabilities by real-world risk, not raw CVSS score

Kenna/Cyentia found just 2.6% of 2019's tracked CVEs were ever actively exploited — yet most teams still triage backlogs by CVSS score alone.

Jul 8, 20267 min read
vulnerability-management (Page 4) — Safeguard Blog