vulnerability-management
Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.
635 articles
SOC 2 and software supply chain security: mapping the Trust Services Criteria
SOC 2 never says the words 'software bill of materials,' but auditors increasingly expect supply-chain evidence. Here's how the Trust Services Criteria map to your dependencies.
What Is a Security Advisory
A security advisory is an official notice that a product has a security flaw, plus how to fix it. Here is what advisories contain, who issues them, and how to act on one.
Snyk vs Black Duck (Synopsys) Comparison
Snyk vs Black Duck comparison for security buyers: how the two SCA platforms differ on workflow, coverage, and compliance — and where Safeguard fits.
Software Supply Chain Security for Product Security Teams
Product security teams own the security of what ships and stays shipped. Here is how to embed supply chain controls across the SDLC, run PSIRT for third-party CVEs, and manage security debt in released products without owning every repo yourself.
Vulnerability Management FAQ: Process, Tooling, and SLAs
What vulnerability management actually involves — discovery, triage, prioritization, remediation, and verification — answered as a practical FAQ for security and engineering teams.
What Is a CVSS Score
A CVSS score rates how severe a security flaw is on a scale of 0 to 10. Here is what the number means, how to read it, and why it is only part of the risk picture.
What Is Application Security (AppSec) 101
AppSec used to mean scanning code for known bugs. Here's why that's no longer enough, what CVE-matching tools like Snyk miss, and what a real supply chain security program requires.
Reachability Analysis FAQ: What It Is and Why It Cuts Noise
Reachability analysis decides whether a vulnerable function in a dependency is actually called by your code. Here are the common questions, answered plainly.
What Is a Security Patch
A security patch is a small update that fixes a specific flaw in software. Here is what patches are, why applying them quickly matters, and how teams manage them.
Software Composition Analysis (SCA) Explained
SCA finds every open-source package in your app — but knowing it's there isn't knowing it's exploitable. Here's what Log4Shell, xz, and Snyk's approach got right and wrong.
Container Image Scanning Best Practices
A practical guide to container image scanning: when to scan, what to block, what scanners like Snyk miss, and how to build a policy that actually gets remediated.
Software Supply Chain Security for AppSec Leads
AppSec leads own the program that turns scanner noise into fixed risk. Here is how to consolidate tooling, prioritize by reachability, win developer trust, and measure a program by remediation velocity instead of finding count.