Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
Java DTOs for secure data handling
A single @RequestBody bound to a JPA entity can let attackers set fields like isAdmin — DTOs close that gap by design, not by discipline.
The security implications of Node.js worker_threads
Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.
Python linting for security hygiene: what flake8, pylint, and bandit actually catch
Bandit maps findings to CWE IDs like CWE-502 and CWE-78, but flake8 and pylint never look for a vulnerability at all — the three tools solve different problems.
A hands-on stack buffer overflow in C++: root cause and mitigations
The Morris Worm hit ~6,000 machines in 1988 via one unsafe gets() call. We build and hijack a stack overflow in C++ to teach why canaries and ASLR exist.
Modern C++ security: smart pointers, bounds checking, and static analysis
Microsoft has said for years that ~70% of the CVEs it patches trace to memory-safety bugs — here's how modern C++ actually closes that gap.
A hardening checklist for modern Drupal deployments
Drupal 7's 2025 end-of-life left unsupported sites exposed; here's a concrete checklist for module vetting, access control, and patch cadence on Drupal 10/11.
How modern SAST engines model data flow and taint tracking
Linters flag every eval() call; SAST tools flag the two an attacker can reach. Here's how taint tracking works, and what it costs in precision and compute.
Why assert is not a security control in Python
Run Python with -O and every assert statement vanishes from the bytecode — including the ones guarding auth checks and input validation.
The Python code review security checklist: eval, pickle, and shell=True
Bandit ships named checks for eval, pickle, and shell=True — B307, B301, B602 — yet these three smells still slip past manual review into production Python.
React security best practices: stopping XSS, dangerouslySetInnerHTML, and dependency risk
React auto-escapes JSX text by default, but dangerouslySetInnerHTML, href injection, and a 500-package npm worm show where that protection stops.
Reverse shell attack mechanics and detection
Reverse shells flip the direction of the connection so outbound firewall rules never fire — here is how they work and the signals that catch them anyway.
Robust URL Validation in Python: Stopping SSRF and Open Redirects
One misparsed IP string cost Capital One 106 million records. Here's how to validate URLs in Python without repeating that mistake.