vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
Benchmarking Mean Time to Remediate Across Company Size a...
MTTR benchmarks vary 2-5x by company size and industry. See how financial services, healthcare, and mid-sized firms compare — and what a realistic 2026 target looks like.
Shift Left Fatigue: Why Developers Are Pushing Back on Se...
Shift-left security handed developers new duties without removing old ones. Here's why teams are pushing back — and how better tooling fixes the real problem: noise, not ownership.
The Champion Model: Do Embedded Security Champions Actual...
Security champion programs cut vulnerabilities only under specific conditions. Here's what BSIMM, GitLab, and OWASP data show about when the champion model actually works.
Why Security and Engineering KPIs Are Still Misaligned in...
Security teams chase CVSS scores and SLA compliance while engineering chases velocity and uptime—two scorecards that were never built to agree.
Why Small Teams Often Outperform Large Enterprises on Fix...
Small teams often patch critical CVEs in hours while enterprises take weeks — not because of talent, but process. Here's why, and how to close the gap.
The CVE Program Funding Crisis: What Happened and What It Means
The CVE program nearly lost its funding in early 2025, exposing deep structural risks in how we track vulnerabilities. Here is what happened and where we go from here.
Log4Shell Three Years Later: Which Fixes Actually Stuck?
Three years after Log4Shell's disclosure, which fixes actually held? A look back at CVE-2021-44228's timeline, CVSS/EPSS/KEV context, and lingering exposure.
Spring Framework RCE Vulnerabilities: A History
From Spring4Shell to older data binding flaws, Spring framework RCE bugs keep resurfacing in the same handful of places — data binding, expression evaluation, and class loading.
Application Vulnerability Assessment: Scope, Method, and Reporting
Most assessment reports die unread because scope was fuzzy and findings were not verified. A working method for assessments that end in shipped fixes.
The OWASP API Security Top 10: Each Risk Explained
The OWASP API Top 10 is a ranked list of the most common API-specific vulnerability classes, from broken object level authorization to unsafe consumption of third-party APIs.
Safeguard Griffin AI: Autonomous Vulnerability Remediation That Actually Works
Griffin AI moves beyond scan-and-alert to autonomously generate, test, and propose vulnerability fixes. How Safeguard's remediation engine reduces mean time to fix without introducing new risk.
Application Security Vulnerability Management: A Working Workflow
A concrete workflow for application security vulnerability management, from scan to fix to verified close, that survives contact with a real release calendar.