vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
The End-of-Year Dependency Audit Ritual
Most dependency audits get done in a panic after a CVE lands. A planned year-end audit is cheaper, more thorough, and produces a backlog you can actually work through in Q1.
Dependency Graph Analysis: Finding Hidden Transitive Risks
Your project has 50 direct dependencies. It actually depends on 1,200 packages. Transitive dependency analysis is how you find the risks hiding three layers deep.
Vulnerability Correlation Across Package Ecosystems
The same vulnerability often appears under different identifiers across npm, PyPI, Maven, and other ecosystems. Here is how to correlate vulnerabilities across ecosystems and why it matters.
Automating Vulnerability Remediation: A Practical Guide
Stop drowning in CVE backlogs. Learn how to build automated remediation workflows that fix vulnerabilities faster without burning out your engineering team.
VEX Explained: How Vulnerability Exploitability Exchange Cuts Through Alert Noise
VEX documents let software producers tell consumers which vulnerabilities actually affect their products. Here's how VEX works and why it matters.
Memory Safety Bugs in C/C++ Dependencies: The Hidden Risk in Your Software Supply Chain
C and C++ libraries still power critical infrastructure everywhere. Their memory safety issues are your problem whether you write C or not.
The Log4Shell Response Playbook Six Months In
Six months after CVE-2021-44228 broke the internet, here is what worked, what didn't, and the response patterns security teams should keep as muscle memory.
Log4j and the Maintainer Burnout Crisis Nobody Talks About
The Log4Shell vulnerability exposed more than a critical flaw in Java logging. It revealed a systemic failure in how the industry treats the people who maintain critical open source infrastructure.
CISA Known Exploited Vulnerabilities Catalog Launched
CISA's KEV catalog changes vulnerability management from theoretical risk to confirmed exploitation. Here's what it means and how to use it for prioritization.
Vulnerability Prioritization: Beyond CVSS Scores
CVSS scores alone lead to alert fatigue and misallocated resources. Here's how EPSS, reachability analysis, and exploit intelligence create a smarter prioritization model.
Heartbleed at Five Years: A Practitioner Retrospective
Five years after CVE-2014-0160, Heartbleed still shapes how we think about shared cryptographic libraries, disclosure ethics, and open-source funding.