Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
How Snyk Code integrates with GitHub Advanced Security th...
A technical walkthrough of how Snyk Code's SARIF output is generated, uploaded, and deduplicated inside GitHub Advanced Security's code scanning pipeline.
How Snyk Code's confidence scoring separates high-confide...
How Snyk Code's confidence scoring works under the hood, and why "high confidence" and "severity" are not the same axis for triage.
How Snyk Code analyzes API usage patterns to catch insecu...
A technical look at how Snyk Code's symbolic engine and taint tracking flag insecure API calls like weak crypto, XXE, and SSRF before code ships.
How Snyk Code detects path traversal vulnerabilities thro...
How Snyk Code uses interprocedural data-flow tracing—not regex matching—to catch path traversal (CWE-22) by connecting tainted sources to file-system sinks.
How Snyk Code's duplicate and similar-code detection supp...
Snyk Code once shipped duplicate and similar-code detection under its Code Quality rules. Here's how it worked, and what its 2025 retirement means for teams.
How 'Vibe Coding' Culture Is Reshaping Application Securi...
AI-assisted "vibe coding" is reshaping how much code ships and how little of it gets truly reviewed. Here's what the data shows and how AppSec teams should respond.
Reachability Analysis in 2025: Separating Exploitable Vulnerabilities from Noise
Reachability analysis determines whether a vulnerable function is actually called by your application. The technology has matured from research concept to production tool. Here is how it works and where it falls short.
Why Alert Fatigue, Not Tool Gaps, Is the Real AppSec Bott...
AppSec teams don't fail from missing tools, they fail from thousands of unprioritized alerts. Here's why alert fatigue is the real AppSec bottleneck.
Consolidation Wave: Why AppSec Vendors Are Buying Runtime...
CrowdStrike, Cisco, Tenable, and others have spent three years buying runtime-visibility startups. Here's why AppSec vendors need runtime context to fix alert overload.
eBPF and OpenTelemetry: The New Instrumentation Layer for...
eBPF and OpenTelemetry are becoming AppSec's new runtime instrumentation layer, catching supply chain attacks like the xz backdoor that static scanners miss entirely.
Why Every AppSec Vendor Suddenly Has an 'AI Trust' Product
AppSec vendors are rebranding as "AI Trust" platforms. We look at the standards, M&A, and real incidents driving the shift — and why it's a supply chain problem at its core.
The Acquisition Pattern Behind AppSec's Runtime Visibilit...
From Cider Security to the $32B Google-Wiz deal, AppSec acquirers keep paying for one thing: runtime visibility into what code actually does in production.