vulnerability-research
Safeguard articles tagged "vulnerability-research" — guides, analysis, and best practices for software supply chain and application security.
11 articles
Cybersecurity Research Center (CyRC): vulnerability resea...
What is Black Duck's CyRC, how does it research and disclose vulnerabilities, and where do its coverage gaps leave your open source supply chain exposed?
Rust memory safety vulnerabilities despite the borrow che...
The borrow checker doesn't stop everything. Here's how rust unsafe code vulnerabilities slip past Rust's safety guarantees and reach production.
Automated Zero-Day Discovery: How AI Is Changing Vulnerability Research
AI-powered fuzzing and code analysis are accelerating zero-day discovery. Here's what that means for defenders.
Race Conditions (TOCTOU) in Application Code
From Dirty COW to runc's CVE-2021-30465, TOCTOU race conditions keep slipping past code review. Here's why they're invisible to standard tooling — and how to catch them.
Autocomplete Anxiety: Measuring How Often AI Coding Assis...
Studies show 40-45% of AI-suggested code contains exploitable flaws, and models hallucinate fake packages developers install. Here's what the data says.
Dataflow Analysis in Modern Codebases
Dataflow analysis is the workhorse behind most vulnerability research. Here's how it adapts to TypeScript, Rust, and the polyglot realities of modern software.
Differential Testing for Supply Chain Vulns
Differential testing compares the behavior of multiple implementations of the same specification. In supply-chain work, it surfaces bugs that nobody else can see.
Symbolic Execution for Dependency Analysis
Symbolic execution explores program paths without concrete inputs. For supply-chain work, it answers reachability questions that fuzzing cannot.
Taint Analysis for Zero-Day Discovery: A Primer
A practitioner's walk-through of taint analysis as a zero-day discovery technique, from classic Livshits and Lam foundations to modern flow-sensitive engines.
Open Source Vulnerability Rewards: Can Bug Bounties Save Open Source?
Google expanded its OSS vulnerability rewards program in 2023, paying researchers to find bugs in critical open source projects. It's a promising model, but not a silver bullet.
Bug Bounty Programs with a Supply Chain Focus
Traditional bug bounty programs miss supply chain vulnerabilities. Here's how to design a bounty program that incentivizes researchers to hunt in your dependency chain.