vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
Notable CVEs of 2023: A Practitioner's Roundup
From an OpenSSL IV-truncation flaw to a critical Babel code-execution bug, 2023's CVE crop is a good reminder that severity and blast radius don't always line up.
libwebp and CVE-2023-4863: The Full Story
A heap buffer overflow in libwebp's lossless decoder, exploited in the wild before a patch existed, turned out to affect far more software than the browser it was first reported in.
Veracode SCA: Mature Application Security Meets Dependency Scanning
An overview of Veracode's SCA capabilities within their broader application security platform, covering vulnerability prioritization, agent-based scanning, and enterprise features.
AWS ECR Image Scanning: A Deep Dive Into What It Catches and What It Misses
ECR offers both basic and enhanced scanning. The difference between them determines whether your container security is real or performative.
Vulnerability SLA Compliance Tracking That Actually Works
Most organizations define vulnerability SLAs and then fail to meet them. The problem is not motivation. It is measurement and process.
What is Security Testing
Security testing is how teams find exploitable weaknesses before attackers do. Here's the main types — SAST, DAST, IAST, SCA, fuzzing, pentesting — and how they fit together.
How to Write a Security Advisory That Actually Helps
Most security advisories are either too vague to be actionable or too detailed to be safe. Here is how to write advisories that help defenders without enabling attackers.
Autonomous Security Remediation: The Promise and Peril of Self-Healing Software
Automated vulnerability patching sounds ideal until you consider what happens when the automation gets it wrong. Here's a realistic look at autonomous remediation.
Managing Security Debt: A Practical Guide
Security debt is inevitable, but it does not have to be unmanageable. Learn how to quantify, prioritize, and systematically pay down your organization's security debt.
Legacy Software and Supply Chain Risks
Legacy systems are supply chain time bombs—running outdated dependencies, unsupported frameworks, and unmaintained libraries. Here's how to manage the risk.
govulncheck in Production Integration
govulncheck is the best vulnerability scanner the Go ecosystem has ever had, but turning it from a demo into a production gate takes more than adding a CI step.
Wiz Cloud Security Platform: Agentless Done at Scale
An overview of Wiz's cloud security platform, covering its agentless architecture, graph-based risk analysis, and how it changed expectations for cloud security tooling.