Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

Integrating C/C++ security scanning into CI pipelines

Roughly 70% of CVEs Microsoft assigns each year are memory-safety bugs. Here's how to catch them in C/C++ CI pipelines before they ship.

Jul 13, 20267 min read
Application Security

Java deserialization gadget chains explained

One 2015 talk and a tool called ysoserial turned ordinary Java libraries into remote code execution chains — here's how gadget chains work and how to stop them.

Jul 13, 20266 min read
Application Security

Using Jakarta Bean Validation correctly: a defensive walkthrough

Jakarta Bean Validation stops malformed input, not attackers — a 2025 Hibernate Validator EL-injection flaw (CVSS 7.3) shows what goes wrong when teams conflate the two.

Jul 13, 20267 min read
Application Security

Preventing insecure deserialization in Node.js

A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.

Jul 13, 20265 min read
Application Security

Preventing SMTP injection vulnerabilities in email-sending code

A crafted From address turned PHPMailer into a remote code execution bug in 2016 — here's how header injection works and how to stop it.

Jul 13, 20266 min read
Application Security

Preventing XSS in Java Spring and JSP applications

OWASP folded XSS into A03:2021-Injection, present in ~3.37% of tested apps — raw JSP EL output and a missing CSP header are still the two most common causes.

Jul 13, 20266 min read
Application Security

How catastrophic regex backtracking causes ReDoS — and how to stop it

A single bad regex took Cloudflare's global network to ~100% CPU for 27 minutes in 2019. Here's the backtracking mechanics behind ReDoS and how to rewrite unsafe patterns.

Jul 13, 20266 min read
Application Security

Safely Parsing Untrusted URLs in Node.js

Node's legacy url.parse() is deprecated (DEP0169), and parser mismatches between it, the WHATWG URL API, and fetchers are a documented root cause of SSRF and open redirects.

Jul 13, 20266 min read
Application Security

XPath injection: how it happens and how to stop it in Java, .NET, and PHP

A 2024 GeoServer flaw showed unsanitized input reaching an XPath evaluator can mean remote code execution, not just data leakage. Here's how to prevent it.

Jul 13, 20266 min read
Application Security

DNS attack techniques and defenses

Cache poisoning, tunneling, and NXDOMAIN floods all abuse the same trust: DNS was built to be fast and open, not authenticated.

Jul 12, 20266 min read
Application Security

Fuzz testing for AppSec teams: AFL++, libFuzzer, and OSS-Fuzz

OSS-Fuzz has found over 13,000 vulnerabilities since 2016, yet most AppSec teams still treat fuzzing as a research curiosity rather than a pipeline stage.

Jul 12, 20267 min read
Application Security

How to actually implement TLS correctly in Python

One `verify=False` in a requests call disables both certificate and hostname checks — the same escape hatch PEP 476 tried to close in 2014.

Jul 12, 20265 min read
Application Security (Page 4) — Supply Chain Security Blog | Safeguard