vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
A framework for scaling risk-based AppSec across many teams
40,009 CVEs were published in 2024 alone — a 38.83% jump over 2023. No security team can triage that volume by hand across dozens of engineering teams.
Building a shift-left security culture developers actually buy into
Log4Shell sat in most Java codebases for years before Dec 2021 — shift-left tooling alone didn't stop it. Culture, placement, and incentives are what make it work.
CVE-2022-1471: Inside the SnakeYaml Deserialization RCE
CVE-2022-1471 scored 9.8 CRITICAL under NIST's CVSS calculation — a single YAML tag could hand attackers remote code execution in any Java app parsing untrusted input.
How task-scheduler RCEs become cryptomining botnets
Two chained Apache Airflow CVEs and a Rundeck YAML deserialization bug show how scheduler tools turn one flaw into unauthenticated RCE and persistent mining.
Using EPSS scores for vulnerability remediation prioritization
EPSS predicts exploitation probability for every CVE on a 0-1 scale, updated daily. Paired with CVSS, it turns a 1,000-ticket backlog into a short, defensible list.
CWE vs. CVE vs. CVSS: The Vocabulary Every AppSec Team Gets Wrong
One CWE weakness class can spawn thousands of CVEs, and a single CVE can now carry two different CVSS scores at once — most teams still use the terms interchangeably.
The libwebp heap overflow that patched half the internet: CVE-2023-4863
One heap buffer overflow in a 15-year-old image codec forced Chrome, Firefox, Edge, Electron apps, and entire Linux distros to ship emergency patches within days.
Vulnerability Management for Beginners: From Alert Overload to Calm Control
Scanners are good at finding problems. Vulnerability management is the calmer discipline of deciding which ones actually matter and fixing them in order. Here is a friendly guide with a first workflow to try today.
How to Report AppSec Risk to Your CISO
CVSS measures severity, not risk — and a slide of 4,000 raw findings tells a CISO nothing. Here's how to translate scan output into decisions.
Why NVD alone is not enough: the case for multi-source vulnerability intelligence
NIST now fully enriches a fraction of CVEs — on April 15, 2026 it moved to a triage model that leaves most of 2025's 48,185 published CVEs without a timely severity score.
AI Security Remediation FAQ: How AI-Authored Fixes Are Kept Trustworthy
How an AI can be trusted to fix security vulnerabilities — the role of reachability, validation, and human review in keeping AI-authored remediation accurate and safe.
False Positives in Security Scanning FAQ
Why security scanners produce so many false positives, what actually counts as one, and how reachability analysis and context reduce the noise. A practical FAQ.