Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
Building an authenticated, TLS-secured WebSocket server in Python
WebSockets skip same-origin checks by default — CWE-1385 exists because of it. Here's how to build one in Python with origin checks, TLS, and rate limits.
The most common C++ vulnerability classes, and the tooling that catches them
Memory-safety bugs account for roughly 70% of high-severity CVEs in large C/C++ codebases at Microsoft and Google. Here's why, and what actually stops them.
How to Discover Shadow and Undocumented APIs Before Attackers Do
A single undocumented API endpoint exposed 10 million Optus records in 2022. Here's how to find shadow APIs in production and assess their real exposure.
A primer on the OWASP API Security Top 10 and how to test for it
The OWASP API Security Top 10 dropped Injection entirely in its 2023 update and added SSRF — most REST and GraphQL teams still test for the old list.
Argument injection in Git and Mercurial CLI wrappers
A branch name like --upload-pack=/bin/sh isn't a string to Git — it's a flag. CVE-2017-1000117 and CVE-2017-1000116 show why that distinction matters.
Detecting weak cryptographic algorithms in code
SHAttered proved a SHA-1 collision for ~$110,000 in 2017. NIST retires SHA-1 entirely by Dec 31, 2030 — here's how to find and fix MD5/SHA-1 in your code now.
JWT security vulnerabilities and best practices
The jsonwebtoken library shipped three separate signature-bypass CVEs between 2015 and 2022 — algorithm confusion is still the most common way JWTs fail.
Securing gRPC APIs: mTLS, Interceptors, and Input Validation
CVE-2023-44487 knocked grpc-go services offline with a Rapid Reset flood — a reminder that gRPC ships fast, insecure by default, and needs hardening at every layer.
Where should your SPA store auth tokens?
OWASP has warned against localStorage tokens for years, yet it remains the default in countless SPA tutorials — one XSS bug is all it takes to exfiltrate every session.
Symbolic Reasoning vs. LLMs: Which Static Analysis Actually Finds Bugs?
The CASTLE benchmark tested 13 static analyzers and 10 LLMs on 250 programs — neither approach won outright, and the reasons why matter for your AppSec stack.
AI-driven DAST for modern applications
73% of open-source developers now use AI coding tools. Dynamic testing built for nightly crawls can't keep pace with apps that reshape their attack surface daily.
Inside CVE-2025-55182: the React Server Components RCE and how to defend against it
A CVSS 10.0 pre-auth RCE in React Server Components, exploited within 48 hours of disclosure — how the deserialization flaw works and how to mitigate it.