Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

Java DTOs for secure data handling

A single @RequestBody bound to a JPA entity can let attackers set fields like isAdmin — DTOs close that gap by design, not by discipline.

Jul 12, 20266 min read
Application Security

The security implications of Node.js worker_threads

Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.

Jul 12, 20266 min read
Application Security

Python linting for security hygiene: what flake8, pylint, and bandit actually catch

Bandit maps findings to CWE IDs like CWE-502 and CWE-78, but flake8 and pylint never look for a vulnerability at all — the three tools solve different problems.

Jul 12, 20266 min read
Application Security

A hands-on stack buffer overflow in C++: root cause and mitigations

The Morris Worm hit ~6,000 machines in 1988 via one unsafe gets() call. We build and hijack a stack overflow in C++ to teach why canaries and ASLR exist.

Jul 11, 20267 min read
Application Security

Modern C++ security: smart pointers, bounds checking, and static analysis

Microsoft has said for years that ~70% of the CVEs it patches trace to memory-safety bugs — here's how modern C++ actually closes that gap.

Jul 11, 20266 min read
Application Security

A hardening checklist for modern Drupal deployments

Drupal 7's 2025 end-of-life left unsupported sites exposed; here's a concrete checklist for module vetting, access control, and patch cadence on Drupal 10/11.

Jul 11, 20266 min read
Application Security

How modern SAST engines model data flow and taint tracking

Linters flag every eval() call; SAST tools flag the two an attacker can reach. Here's how taint tracking works, and what it costs in precision and compute.

Jul 11, 20266 min read
Application Security

Why assert is not a security control in Python

Run Python with -O and every assert statement vanishes from the bytecode — including the ones guarding auth checks and input validation.

Jul 11, 20266 min read
Application Security

The Python code review security checklist: eval, pickle, and shell=True

Bandit ships named checks for eval, pickle, and shell=True — B307, B301, B602 — yet these three smells still slip past manual review into production Python.

Jul 11, 20266 min read
Application Security

React security best practices: stopping XSS, dangerouslySetInnerHTML, and dependency risk

React auto-escapes JSX text by default, but dangerouslySetInnerHTML, href injection, and a 500-package npm worm show where that protection stops.

Jul 11, 20266 min read
Application Security

Reverse shell attack mechanics and detection

Reverse shells flip the direction of the connection so outbound firewall rules never fire — here is how they work and the signals that catch them anyway.

Jul 11, 20266 min read
Application Security

Robust URL Validation in Python: Stopping SSRF and Open Redirects

One misparsed IP string cost Capital One 106 million records. Here's how to validate URLs in Python without repeating that mistake.

Jul 11, 20266 min read
Application Security (Page 5) — Supply Chain Security Blog | Safeguard