Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

A vendor-neutral framework for evaluating SAST tools

OWASP's Benchmark suite has run 2,740 fixed Java test cases since 2016, yet most SAST comparisons still amount to a vendor's self-reported false-positive number.

Jul 8, 20266 min read
Application Security

A hardening guide to securing Flask applications

Flask ships session cookies with HttpOnly on by default — but Secure, SameSite, CSRF tokens, and every security header are left entirely to you.

Jul 8, 20266 min read
Application Security

Secure multi-tenant SaaS access control patterns

Broken Access Control has topped OWASP's Top 10 for two straight cycles, found in 100% of tested apps in 2025 — most of that risk starts with one missing tenant_id check.

Jul 8, 20266 min read
Application Security

Secure password hashing in Go: bcrypt, Argon2, and the mistakes in between

Go's bcrypt package caps input at 72 bytes and returns ErrPasswordTooLong instead of silently truncating — one of several Go-specific quirks that trip up password hashing code.

Jul 8, 20266 min read
Application Security

Secure URL Encoding and Decoding in Java

Java's URLEncoder turns spaces into + instead of %20 — a form-encoding quirk that, mixed with double-decoding, still causes path-traversal bugs like CVE-2025-41242 in 2025.

Jul 8, 20266 min read
Application Security

Secure session lifecycle management: tokens, rotation, and cookie flags

OWASP requires session IDs carry at least 64 bits of entropy, yet a 2007 Rails flaw shows one dropped attribute is enough to make fixation trivial.

Jul 8, 20266 min read
Application Security

Robust input validation in Spring Boot: Bean Validation and its bypasses

Bean Validation (JSR-380) looks like a solved problem in Spring Boot, but nested DTOs, list elements, and unannotated service methods routinely skip validation silently.

Jul 8, 20266 min read
Application Security

The most common Spring Boot security misconfigurations, and how to fix them

CVE-2026-40976 let anonymous users hit /actuator/env and /actuator/heapdump on default Spring Boot 4 filter chains, CVSS 9.1 — here's how to actually harden Spring Boot.

Jul 8, 20266 min read
Application Security

Unsafe Deserialization in Swift: NSCoding, Codable, and Safer Patterns

Two 2019 iOS zero-click bugs, CVE-2019-8646 and CVE-2019-8647, both traced back to NSKeyedUnarchiver — a reminder that Swift's Objective-C legacy still hides deserialization risk.

Jul 8, 20265 min read
Application Security

Thymeleaf SSTI risk patterns: how a tab character bypassed a Java template sandbox

CVE-2026-40478 shows how a single tab character bypassed Thymeleaf's expression sandbox, turning misused templates into remote code execution.

Jul 8, 20266 min read
Application Security

Verifying webhook signatures correctly

Stripe gives you a 5-minute replay window and GitHub a raw-body HMAC — but most outages trace back to one bug: verifying JSON after it's been re-serialized.

Jul 8, 20267 min read
Application Security

Building Secure VS Code Extensions: A Developer's Guide

VS Code extensions run as trusted Node.js code with full disk and network access and no permission model to fall back on. Here is how to build one that does not become the next supply chain incident.

Jul 8, 20266 min read
Application Security (Page 11) — Supply Chain Security Blog | Safeguard