Featured Posts

Security Is the New Quality: Why Product Managers Must Own Vulnerability Risk

A perspective on the changing responsibilities of product leadership

Express 3 is EOL, Express 4 is Next: The 2026 Support Reference

A reference for Express support timelines, and what end-of-life means for organizations still running older versions in production.

CVE-2026-26171: .NET EncryptedXml DoS Vulnerability Explained and How to Fix It

Why this XML-based DoS vulnerability creates immediate risk for EOL .NET systems—and what your remediation options are.

CVE-2026-32178: SMTP Injection in .NET's System.Net.Mail Leaves .NET 6 Without a Patch

A high-severity spoofing and SMTP command injection vulnerability disclosed in April 2026's Patch Tuesday affects .NET's email handling stack.

Announcing NES for .NET Containers

Why containerized .NET apps remain vulnerable after EOL—and how NES provides a secure bridge while you migrate.

How Does My Scanner See HeroDevs? Trivy Edition

Why Snyk still flags vulnerabilities after NES—and how to correctly suppress false positives with a .snyk policy file.

The Realities of Upgrading: What You Need to Know Before Migrating from End-of-Life Angular 18

Why upgrading from Angular 18 isn’t a simple version bump—and what enterprises must plan for across testing, dependencies, and security.

Knockout.js End of Life: Security Risks for DNN and .NET Teams

Why Knockout.js has become a hidden security liability for DNN and .NET teams—and what to do before your next audit.

Angular Supported Node.js Versions: The Complete Compatibility Matrix

The definitive Angular-to-Node.js compatibility guide—and why outdated pairings create a double layer of security risk.

What Your Scanner Isn’t Telling You About EOL Risk

Why CVE-based scanning falls short—and how EOL software creates invisible risk across your dependency tree.

Vercel Breach Confirmed: Critical Security Steps for Every Developer

How a compromised third-party AI tool's OAuth grant became a pivot point into Vercel — and what every developer needs to rotate, audit, and rethink about platform trust.

Why 73% of AI-Assisted AngularJS Migrations Fall Behind Schedule

AI migration tools promise 4 to 7 months. Enterprise reality is 18 to 24. The gap between those numbers is where the real cost lives.

HeroDevs at VulnCon 2026

A Recap of our time at VulnCon 2026 Including Updates to Open Source Vulnerability Management, Current CVE Program Scaling, and the Impact of AI

CVE-2026-35554: Apache Kafka Producer Message Corruption and Silent Misrouting (Buffer Pool Race Condition)

How a Kafka Producer Race Condition Leads to Undetected Data Corruption and Unauthorized Topic Exposure

CVE-2025-9551: Brute Force Vulnerability in Drupal's Protected Pages Module

How a Missing Rate Limit in Drupal 7 Creates Real Security and Compliance Risk