Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
Integrating C/C++ security scanning into CI pipelines
Roughly 70% of CVEs Microsoft assigns each year are memory-safety bugs. Here's how to catch them in C/C++ CI pipelines before they ship.
Java deserialization gadget chains explained
One 2015 talk and a tool called ysoserial turned ordinary Java libraries into remote code execution chains — here's how gadget chains work and how to stop them.
Using Jakarta Bean Validation correctly: a defensive walkthrough
Jakarta Bean Validation stops malformed input, not attackers — a 2025 Hibernate Validator EL-injection flaw (CVSS 7.3) shows what goes wrong when teams conflate the two.
Preventing insecure deserialization in Node.js
A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.
Preventing SMTP injection vulnerabilities in email-sending code
A crafted From address turned PHPMailer into a remote code execution bug in 2016 — here's how header injection works and how to stop it.
Preventing XSS in Java Spring and JSP applications
OWASP folded XSS into A03:2021-Injection, present in ~3.37% of tested apps — raw JSP EL output and a missing CSP header are still the two most common causes.
How catastrophic regex backtracking causes ReDoS — and how to stop it
A single bad regex took Cloudflare's global network to ~100% CPU for 27 minutes in 2019. Here's the backtracking mechanics behind ReDoS and how to rewrite unsafe patterns.
Safely Parsing Untrusted URLs in Node.js
Node's legacy url.parse() is deprecated (DEP0169), and parser mismatches between it, the WHATWG URL API, and fetchers are a documented root cause of SSRF and open redirects.
XPath injection: how it happens and how to stop it in Java, .NET, and PHP
A 2024 GeoServer flaw showed unsanitized input reaching an XPath evaluator can mean remote code execution, not just data leakage. Here's how to prevent it.
DNS attack techniques and defenses
Cache poisoning, tunneling, and NXDOMAIN floods all abuse the same trust: DNS was built to be fast and open, not authenticated.
Fuzz testing for AppSec teams: AFL++, libFuzzer, and OSS-Fuzz
OSS-Fuzz has found over 13,000 vulnerabilities since 2016, yet most AppSec teams still treat fuzzing as a research curiosity rather than a pipeline stage.
How to actually implement TLS correctly in Python
One `verify=False` in a requests call disables both certificate and hostname checks — the same escape hatch PEP 476 tried to close in 2014.