vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
Enriching SBOMs with Vulnerability and License Metadata
A base SBOM only lists what's in your build — OSV.dev, EPSS, and OpenSSF Scorecard turn that inventory into a prioritized risk decision.
Ethical hacking techniques, mapped to a responsible disclosure workflow
Recon, enumeration, exploitation, and privilege escalation aren't just attacker steps — Log4Shell's 15-day gap between private report and public exploit shows why each maps to a disclosure decision.
Exploitability vs. breakability: a practical rubric for vulnerability triage
CVSS says a flaw could be bad. CISA's KEV catalog, now past 1,300 entries, says one actually was exploited. Most teams still triage as if the two are the same.
HTTP/2 CONTINUATION Flood: Inside CVE-2024-27316 and the Frame-Based DoS Class
A single TCP connection with no END_HEADERS flag was enough to crash major HTTP/2 servers — worse than Rapid Reset, and it took the industry a decade to check for it.
HTTP/2 Rapid Reset: inside CVE-2023-44487
A single HTTP/2 feature let attackers hit 398 million requests per second. Here's how Rapid Reset (CVE-2023-44487) broke nearly every major web server at once.
Log4Shell and Spring4Shell, years later: why the same bug keeps coming back
CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.
Mapping the blast radius of a vulnerable AI infrastructure dependency
One Ray dashboard flaw let attackers hit hundreds of exposed AI servers. SBOM plus call-graph data is how you find every service that shares the exposure.
The 10 most common code-level vulnerability classes, ranked by real-world data
MITRE's 2025 CWE Top 25 scored 39,080 CVEs — cross-site scripting still ranks #1, but Missing Authorization jumped five spots. Here's how to prevent each class.
Mapping NIST CSF 2.0 to your AppSec program
NIST CSF 2.0 added a sixth function, Govern, in February 2024 — most AppSec teams still map their tooling to only three of the six.
NVD's enrichment backlog and how to build a multi-source vuln database strategy
NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.
What PHP's use-after-free bugs teach us about dynamic-runtime memory safety
Check Point disclosed three PHP 7 unserialize zero-days in 2016 alone. A decade of PHP use-after-free CVEs shows memory-safety risk doesn't end at the C/C++ boundary.
Prioritizing vulnerabilities by real-world risk, not raw CVSS score
Kenna/Cyentia found just 2.6% of 2019's tracked CVEs were ever actively exploited — yet most teams still triage backlogs by CVSS score alone.