vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
Application Vulnerability Management: Program Basics
A working definition of application vulnerability management and the five program elements that separate a real practice from a pile of scanner tickets.
jQuery 3.7.1 Vulnerabilities: What Actually Changed From Earlier Releases
jQuery 3.7.1 vulnerabilities are mostly inherited history, not new CVEs — the real security story is what changed across 3.4, 3.5, and 3.7.
What Is the NVD (National Vulnerability Database)?
The NVD is the U.S. government's repository of analyzed vulnerability data, built on top of the CVE program — here's what it actually adds, how CVE and NVD relate, and where its data comes from.
Node.js Vulnerabilities: Tracking and Patching at Scale
How to actually keep up with Node.js vulnerabilities across dozens of services — where advisories come from, what to automate, and what still needs a human.
Unrestricted File Upload Vulnerabilities: Risks and Fixes
An unrestricted file upload vulnerability lets an attacker place a working web shell on your server through a form that was only ever supposed to accept profile pictures or PDFs.
IAST Security: Interactive Application Security Testing Explained
IAST security instruments a running application to watch real requests flow through real code, catching vulnerabilities that static analysis and black-box scanning both miss.
How to Fix Vulnerabilities: A Practical Workflow
A practical, repeatable workflow for how to fix vulnerabilities once a scanner finds them — triage, verify, patch, and confirm — instead of treating every finding as equally urgent.
Types of Vulnerability Assessment, Explained
Not every vulnerability assessment tests the same thing. Here's how network, application, host, and wireless assessments differ, and when each one is the right call.
Software Security Issues: A Triage Framework
Most teams triage software security issues by severity score alone, which routinely gets the priority order wrong. A better framework weighs reachability and exposure too.
CVE-2023-4863: The libwebp Zero-Day That Hit Chrome and More
CVE-2023-4863 was a heap buffer overflow in libwebp's Huffman decoding that was exploited as a zero-day in the wild — and because libwebp sits inside Chrome, Firefox, and countless Electron apps, one library bug became an ecosystem-wide emergency patch.
Exploit Chaining: A Supply Chain Perspective
How attackers chain low and medium severity flaws across dependencies to reach critical impact, and why supply chain context changes triage priorities.
SOC 2 Type II for Engineering Teams: What Auditors Actually Check
Auditors don't start with your policies — they sample your PRs, tickets, and access reviews. Here's what a SOC 2 Type II observation window actually tests, control by control.