Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
XML Parsing Security: XXE, Billion Laughs, and Beyond
XML's feature richness is its security weakness. XXE, entity expansion, and XSLT injection continue to plague applications that process XML.
Out-of-Bounds Read Vulnerabilities (CWE-125) Explained
How out-of-bounds read vulnerabilities (CWE-125) leak memory instead of crashing programs, why Heartbleed and Cloudbleed happened, and how to catch them in your dependencies.
Out-of-Bounds Write Vulnerabilities (CWE-787) Explained
CWE-787 out-of-bounds write bugs let attackers corrupt memory past a buffer's limit, causing crashes or code execution. Here's how they work.
Improper Restriction of Operations Within Memory Bounds
CWE-119 has topped MITRE's vulnerability rankings for years, from Heartbleed to WannaCry to the 2023 libwebp zero-day. Here's why it persists and how to catch it early.
Integer Overflow and Wraparound Vulnerabilities
A single wrapped integer minted 184B bitcoin, grounded 787s, and erased $900M from a crypto token. Here's how overflow bugs work—and how Safeguard catches them first.
Double-Free Vulnerabilities in C and C++
Double-free bugs let attackers corrupt heap memory and hijack control flow. Here's how they happen in C/C++, real CVEs, and how to catch them early.
Memory Leak Vulnerabilities: Causes and Detection
Memory leaks aren't just a performance bug — from Heartbleed to Samba's CVE-2018-16851, they're a documented attack surface. Here's how they're caused, scored, and detected.
Null Pointer Dereference Vulnerabilities
A single unchecked pointer can crash a server. Here's what null pointer dereference vulnerabilities are, real CVEs like OpenSSL's, and how to catch them.
Uncaught Exception Security Risks
An uncaught exception isn't just a crash: it caused the Equifax breach and Log4j outages. See how exception-handling bugs become real security incidents.
Insufficient Encapsulation Vulnerabilities
An insufficient encapsulation vulnerability (CWE-485) exposes internal state to untrusted code. See how it drove real CVEs in Velocity, Lodash, and BeanUtils.
Generation of Predictable Numbers or Identifiers
From Debian's 2008 OpenSSL bug to First American's 885-million-record leak, predictable identifiers keep breaking security. Here's how the vulnerability works and how to stop it.
Best penetration testing platforms and services
A practical, no-hype comparison of penetration testing platforms and pentest-as-a-service vendors — what to evaluate, six real providers reviewed, and where supply chain risk fits in.