Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
API Security Misconfiguration
API misconfigurations exposed 37M T-Mobile and 9.8M Optus accounts without a single exploit. Here's why it keeps happening and how to stop it.
Unsafe Consumption of APIs
OWASP's API10:2023 exposes a blind spot: teams sanitize user input but blindly trust API responses from partners, vendors, and internal services.
What is Broken Object Level Authorization (BOLA)
BOLA lets attackers swap an object ID in an API request to pull someone else's data. Here's how it works, real breaches, and how to stop it.
What is an API Gateway and Its Security Role
An API gateway centralizes auth, routing, and rate limiting for every request — get it wrong and, as T-Mobile and Optus learned, millions of records leak.
What is Rate Limiting
Rate limiting caps requests per client to stop credential stuffing and scraping. Learn how it works, the algorithms, and real breaches it prevents.
What is API Authentication
API authentication verifies who's calling your API before authorization decides what they can do — here's how it works, common methods, and where it fails.
OAuth vs API Keys
OAuth and API keys aren't interchangeable: one is a static, long-lived credential, the other a scoped, expiring token. Here's how to choose, backed by real breaches.
Reachability Analysis for Java: A 2026 Deep Dive
Java reachability under classpath reality: reflection, Spring autowiring, shaded JARs, Log4Shell, and what modern tools actually resolve versus over-approximate.
Secure Patterns for LLM Output Handling in 2026
LLM02 on the OWASP LLM Top 10 keeps quietly producing incidents because downstream systems trust model outputs they should not. Concrete patterns that hold up.
GitLab Ultimate Security Buyer Review 2026
GitLab bundles SAST, SCA, container scanning, and DAST into the Ultimate tier. Is the integrated story worth the premium over best-of-breed tools? An honest review.
JetBrains Plugin Security in 2026
JetBrains IDEs have a smaller plugin ecosystem than VS Code, but the security model is similar and the risks rhyme. Here is what to watch in 2026.
IAST vs SAST in 2026: When to Use Which
A practical guide to when IAST adds value over SAST in 2026, with the workload characteristics that justify the operational cost of runtime instrumentation.