Vulnerability Management
Symbolic Execution for Dependency Analysis
Symbolic execution explores program paths without concrete inputs. For supply-chain work, it answers reachability questions that fuzzing cannot.
May 28, 20247 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Symbolic execution explores program paths without concrete inputs. For supply-chain work, it answers reachability questions that fuzzing cannot.
Container scanners produce mountains of findings. A significant percentage are false positives. Here is how to measure and manage the noise.
Coordinated disclosure protects users while giving vendors time to fix. Here is how to run a disclosure process that works for all parties, whether you are the reporter or the vendor.
A practitioner's walk-through of taint analysis as a zero-day discovery technique, from classic Livshits and Lam foundations to modern flow-sensitive engines.
CVE-2024-3400 hit GlobalProtect with pre-auth RCE and ongoing exploitation. Here is the response timeline, the UPSTYLE tradecraft, and what worked.
CISA added 40+ CVEs to the Known Exploited Vulnerabilities catalog in Q1 2024. We break down the vendor mix, the edge-device bias, and what to prioritize.
PDFs are trusted by default in most organizations. That trust makes them a potent vector for supply chain attacks. Here is how the attacks work.
CVE-2024-21762 gave attackers pre-auth RCE on FortiGate SSL VPN. We trace the exploitation patterns, scanner behavior, and who got hit first.
Most organizations define vulnerability SLAs and then fail to meet them. The problem is not motivation. It is measurement and process.
Weekly insights on software supply chain security, delivered to your inbox.