Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
A vendor-neutral framework for evaluating SAST tools
OWASP's Benchmark suite has run 2,740 fixed Java test cases since 2016, yet most SAST comparisons still amount to a vendor's self-reported false-positive number.
A hardening guide to securing Flask applications
Flask ships session cookies with HttpOnly on by default — but Secure, SameSite, CSRF tokens, and every security header are left entirely to you.
Secure multi-tenant SaaS access control patterns
Broken Access Control has topped OWASP's Top 10 for two straight cycles, found in 100% of tested apps in 2025 — most of that risk starts with one missing tenant_id check.
Secure password hashing in Go: bcrypt, Argon2, and the mistakes in between
Go's bcrypt package caps input at 72 bytes and returns ErrPasswordTooLong instead of silently truncating — one of several Go-specific quirks that trip up password hashing code.
Secure URL Encoding and Decoding in Java
Java's URLEncoder turns spaces into + instead of %20 — a form-encoding quirk that, mixed with double-decoding, still causes path-traversal bugs like CVE-2025-41242 in 2025.
Secure session lifecycle management: tokens, rotation, and cookie flags
OWASP requires session IDs carry at least 64 bits of entropy, yet a 2007 Rails flaw shows one dropped attribute is enough to make fixation trivial.
Robust input validation in Spring Boot: Bean Validation and its bypasses
Bean Validation (JSR-380) looks like a solved problem in Spring Boot, but nested DTOs, list elements, and unannotated service methods routinely skip validation silently.
The most common Spring Boot security misconfigurations, and how to fix them
CVE-2026-40976 let anonymous users hit /actuator/env and /actuator/heapdump on default Spring Boot 4 filter chains, CVSS 9.1 — here's how to actually harden Spring Boot.
Unsafe Deserialization in Swift: NSCoding, Codable, and Safer Patterns
Two 2019 iOS zero-click bugs, CVE-2019-8646 and CVE-2019-8647, both traced back to NSKeyedUnarchiver — a reminder that Swift's Objective-C legacy still hides deserialization risk.
Thymeleaf SSTI risk patterns: how a tab character bypassed a Java template sandbox
CVE-2026-40478 shows how a single tab character bypassed Thymeleaf's expression sandbox, turning misused templates into remote code execution.
Verifying webhook signatures correctly
Stripe gives you a 5-minute replay window and GitHub a raw-body HMAC — but most outages trace back to one bug: verifying JSON after it's been re-serialized.
Building Secure VS Code Extensions: A Developer's Guide
VS Code extensions run as trusted Node.js code with full disk and network access and no permission model to fall back on. Here is how to build one that does not become the next supply chain incident.