vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
The National Vulnerability Database: How to Actually Use It
The National Vulnerability Database is the US government's CVE repository — here's how to search it, read its CVSS scores, and use it in a real workflow.
False Positive Rates in Container Scanning: Why Your Scanner Lies to You
Container scanners produce mountains of findings. A significant percentage are false positives. Here is how to measure and manage the noise.
Application Vulnerabilities: The Common Classes Explained
Injection, broken access control, and misconfiguration account for most real-world breaches. Here's a plain map of the classes that matter and how each one is actually exploited.
Container Security Scanning in 2024: Benchmarks, Tools, and What Actually Matters
Container image scanning tools vary widely in detection rates, false positive rates, and coverage. Here is a practical assessment of the container security scanning landscape in 2024.
What is Fuzzing
Fuzzing feeds programs malformed input at machine speed to trigger crashes and expose memory-safety bugs. Here's how fuzz testing works and why it matters.
Spring4Shell: What Shipped and How to Patch It
What the Spring4Shell vulnerability actually was, which configurations were exposed, and the concrete patch and mitigation steps that closed it.
NIST NVD Slowdown: What the Vulnerability Enrichment Backlog Means for Security Teams
NIST's National Vulnerability Database nearly stopped enriching CVEs in early 2024, creating a growing backlog that left security teams without the severity scores and metadata they depend on.
Apache Struts 2 Vulnerabilities: A History Worth Knowing
Apache Struts 2 has produced some of the most damaging vulnerabilities in web application history, including the flaw behind the Equifax breach. Here's what happened and why it keeps happening.
CISA KEV Catalog Growth: A 2024 Q1 Analysis
CISA added 40+ CVEs to the Known Exploited Vulnerabilities catalog in Q1 2024. We break down the vendor mix, the edge-device bias, and what to prioritize.
Security Debt: Measuring and Paying It Down
Security debt is the gap between the risk you're carrying and the risk you've decided to carry. Here's how to measure it in vuln-days and pay it down without a heroic quarter.
Notable CVEs of 2022: A Practitioner's Roundup
CVE-2022-31160 and a run of recursion-based denial-of-service bugs made 2022 a year defined less by exotic exploits and more by parsers that never expected deeply nested input.
CWE Full Form: What It Actually Stands For
CWE stands for Common Weakness Enumeration — a community-maintained taxonomy of software and hardware weakness types that CVEs, SAST tools, and OWASP guidance all reference back to.