Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

API Security Misconfiguration

API misconfigurations exposed 37M T-Mobile and 9.8M Optus accounts without a single exploit. Here's why it keeps happening and how to stop it.

Mar 10, 20266 min read
Application Security

Unsafe Consumption of APIs

OWASP's API10:2023 exposes a blind spot: teams sanitize user input but blindly trust API responses from partners, vendors, and internal services.

Mar 9, 20267 min read
Application Security

What is Broken Object Level Authorization (BOLA)

BOLA lets attackers swap an object ID in an API request to pull someone else's data. Here's how it works, real breaches, and how to stop it.

Mar 9, 20267 min read
Application Security

What is an API Gateway and Its Security Role

An API gateway centralizes auth, routing, and rate limiting for every request — get it wrong and, as T-Mobile and Optus learned, millions of records leak.

Mar 9, 20268 min read
Application Security

What is Rate Limiting

Rate limiting caps requests per client to stop credential stuffing and scraping. Learn how it works, the algorithms, and real breaches it prevents.

Mar 9, 20266 min read
Application Security

What is API Authentication

API authentication verifies who's calling your API before authorization decides what they can do — here's how it works, common methods, and where it fails.

Mar 8, 20267 min read
Application Security

OAuth vs API Keys

OAuth and API keys aren't interchangeable: one is a static, long-lived credential, the other a scoped, expiring token. Here's how to choose, backed by real breaches.

Mar 8, 20267 min read
Application Security

Reachability Analysis for Java: A 2026 Deep Dive

Java reachability under classpath reality: reflection, Spring autowiring, shaded JARs, Log4Shell, and what modern tools actually resolve versus over-approximate.

Mar 4, 20266 min read
Application Security

Secure Patterns for LLM Output Handling in 2026

LLM02 on the OWASP LLM Top 10 keeps quietly producing incidents because downstream systems trust model outputs they should not. Concrete patterns that hold up.

Mar 4, 20265 min read
Application Security

GitLab Ultimate Security Buyer Review 2026

GitLab bundles SAST, SCA, container scanning, and DAST into the Ultimate tier. Is the integrated story worth the premium over best-of-breed tools? An honest review.

Mar 3, 20266 min read
Application Security

JetBrains Plugin Security in 2026

JetBrains IDEs have a smaller plugin ecosystem than VS Code, but the security model is similar and the risks rhyme. Here is what to watch in 2026.

Mar 2, 20266 min read
Application Security

IAST vs SAST in 2026: When to Use Which

A practical guide to when IAST adds value over SAST in 2026, with the workload characteristics that justify the operational cost of runtime instrumentation.

Feb 28, 20266 min read
Application Security (Page 27) — Supply Chain Security Blog | Safeguard