Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
Post-Quantum Cryptography Migration for Application Security
NIST finalized PQC standards in 2024, but most companies can't even inventory where RSA and ECC live in their stack. Here's a realistic migration roadmap for AppSec teams.
CVE-2021-25287: Buffer overflow in Pillow SGI decoder
A heap buffer overflow in Pillow's SGI image decoder (CVE-2021-25287) let crafted images corrupt memory. Here's the impact, fix, and remediation guidance.
CVE-2021-25288: Buffer overflow in Pillow FLI decoder
CVE-2021-25288 is a buffer overflow in Pillow's FLI decoder, fixed in Pillow 8.1.0. Here's what's affected, the risk profile, and how to remediate.
How Snyk Code's semantic analysis engine builds a code mo...
A mechanical look at how Snyk Code's semantic analysis engine parses source into a code model, tracks data flow across files, and prioritizes vulnerability findings.
Inside DeepCode AI: how Snyk Code's ML models are trained...
How Snyk's DeepCode AI turns millions of open-source commit fixes into the symbolic-AI and ML models powering Snyk Code's vulnerability detection and autofixes.
How taint analysis works in Snyk Code: tracking data from...
Snyk Code traces untrusted data from source to sink using interprocedural static analysis and ML ranking. Here's how the taint-tracking mechanics work.
How Snyk Code performs interprocedural data-flow analysis...
How Snyk Code tracks tainted data across function and file boundaries using call-graph summaries, taint propagation, and hybrid symbolic AI rules.
How Snyk Code models control flow to catch race condition...
A mechanical look at how Snyk Code builds control flow and data flow graphs to trace paths that produce race conditions and null pointer dereferences.
How Snyk Code distinguishes sanitizers from insecure sour...
How Snyk Code's taint-tracking engine tells sanitizers apart from insecure sources and sinks, and where the source-sink-sanitizer model still needs human review.
Why Snyk Code's semantic approach produces fewer false po...
Snyk Code cuts SAST false positives using semantic analysis: AST/data-flow graphs plus ML trained on real code, not regex patterns. Here is how the mechanics work.
How Snyk Code detects SQL injection vulnerabilities step ...
A mechanical, publicly-documented look at how Snyk Code's symbolic analysis and ML model trace source-to-sink data flow to detect SQL injection vulnerabilities.
How Snyk Code detects cross-site scripting (XSS) through ...
How Snyk Code's taint analysis traces untrusted input from source to sink to flag reflected, DOM-based, and stored XSS with fewer false positives.