Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
AngularJS security fundamentals
AngularJS has been unpatched since January 2022, yet it still runs in production. Here's the CVE history, the sandbox saga, and how to find your exposure.
Top SAST solutions compared for 2026
Comparing Safeguard and Mend.io on SAST scope, CI/CD fit, and compliance coverage—what's verifiable, what to test yourself, and how a unified platform changes the tradeoffs.
10 Spring Boot security best practices
Ten concrete Spring Boot security practices, with real CVEs, config flags, and file paths, to close the gaps attackers actually exploit.
Best application security testing providers ranked
Mend.io built its reputation on SCA and open source dependency scanning. Here's how Safeguard's supply chain security approach compares.
A guide to input validation with Spring Boot
Spring Boot doesn't validate input by default. Here's how Bean Validation actually works, where teams get it wrong, and how missing validation leads to injection and mass assignment.
How to secure Python Flask applications
Flask ships without built-in CSRF, headers, or session hardening. Here's how real CVEs like debug-mode RCE and cookie forgery get exploited—and stopped.
Securing Django applications from common vulnerabilities
Django's secure-by-default reputation hides real gaps: SQL injection via Trunc()/Extract(), ReDoS in Truncator, and misconfigured DEBUG settings still cause incidents.
Comparing Node.js frameworks for security: Express, Fastify, NestJS
Express, Fastify, and NestJS compared on real CVE history, default security posture, and dependency risk — plus how to close the gaps framework choice alone can't.
5 Node.js security code snippets every backend developer should know
Five real Node.js vulnerability patterns with vulnerable-vs-fixed code: prototype pollution, NoSQL injection, missing headers, path traversal, and JWT flaws.
Securing Next.js applications and middleware
CVE-2025-29927 let attackers bypass Next.js middleware auth with one header. Here's how that and three other real CVEs expose middleware, Server Actions, and caching.
5 best practices for React with TypeScript security
TypeScript's type system stops at compile time. Five concrete practices — with real CVEs and incidents — for securing React + TypeScript apps against what it misses.
10 GitHub security best practices
10 concrete GitHub security controls—2FA, push protection, branch rules, pinned Actions, SBOM—with real CVEs and dates security teams can act on today.