Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
Reachability Analysis for Python and pip in 2026
Python reachability is hard but useful: dynamic dispatch, monkey-patching, optional extras, and how modern tools handle real Django and FastAPI services.
CodeQL vs Semgrep: A 2026 Buyer Comparison
A practical head-to-head between CodeQL and Semgrep in 2026: query power, performance, rule authoring, and where each tool earns its place in a modern SAST program.
VS Code Extensions and Supply Chain Risk in 2026
VS Code extensions run with full editor privileges and broad filesystem access. A look at the real attacks, the marketplace's blind spots, and how to harden the workstation.
IAST vs RASP: A Decision Tree for 2026
When to deploy IAST, when to deploy RASP, and when to skip both. A pragmatic decision tree based on application architecture, threat model, and operational maturity.
YAML Deserialization Attacks: The Config File That Runs Code
YAML's type system allows object instantiation during parsing. In many languages, this means a YAML file can execute arbitrary code.
How to set up secrets scanning in git repositories
A step-by-step guide to secrets scanning in git repositories using gitleaks and trufflehog, covering pre-commit hooks, CI enforcement, and history audits.
How to configure OWASP ZAP for automated scanning
A step-by-step guide to configuring OWASP ZAP for automated scanning in CI/CD, from Docker setup through baseline and API scans to pipeline gating.
What is Attack Path Analysis
Attack path analysis maps how vulnerabilities and misconfigurations chain together into real exploit routes, cutting 10,000+ findings down to the handful that matter.
Reachability Analysis for Rust and Cargo in 2026
How reachability analysis cuts noise for Rust services: cargo features, conditional compilation, RustSec advisories, and the tools that handle Rust well.
How to implement OAuth 2.0 securely
A step-by-step guide to implementing OAuth 2.0 securely: PKCE, redirect URI validation, token storage, and the vulnerabilities to avoid.
How to set up API rate limiting
A practical, step-by-step guide to setting up API rate limiting — gateway and app-layer configs, algorithm choices, per-endpoint tuning, and how to verify it actually blocks abuse.
What is Static Code Analysis
Static code analysis scans source code for flaws before it runs. Here's how SAST works, what it catches, and where it falls short without reachability context.