Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

Building an authenticated, TLS-secured WebSocket server in Python

WebSockets skip same-origin checks by default — CWE-1385 exists because of it. Here's how to build one in Python with origin checks, TLS, and rate limits.

Jul 11, 20266 min read
Application Security

The most common C++ vulnerability classes, and the tooling that catches them

Memory-safety bugs account for roughly 70% of high-severity CVEs in large C/C++ codebases at Microsoft and Google. Here's why, and what actually stops them.

Jul 11, 20267 min read
Application Security

How to Discover Shadow and Undocumented APIs Before Attackers Do

A single undocumented API endpoint exposed 10 million Optus records in 2022. Here's how to find shadow APIs in production and assess their real exposure.

Jul 10, 20266 min read
Application Security

A primer on the OWASP API Security Top 10 and how to test for it

The OWASP API Security Top 10 dropped Injection entirely in its 2023 update and added SSRF — most REST and GraphQL teams still test for the old list.

Jul 10, 20267 min read
Application Security

Argument injection in Git and Mercurial CLI wrappers

A branch name like --upload-pack=/bin/sh isn't a string to Git — it's a flag. CVE-2017-1000117 and CVE-2017-1000116 show why that distinction matters.

Jul 10, 20266 min read
Application Security

Detecting weak cryptographic algorithms in code

SHAttered proved a SHA-1 collision for ~$110,000 in 2017. NIST retires SHA-1 entirely by Dec 31, 2030 — here's how to find and fix MD5/SHA-1 in your code now.

Jul 10, 20267 min read
Application Security

JWT security vulnerabilities and best practices

The jsonwebtoken library shipped three separate signature-bypass CVEs between 2015 and 2022 — algorithm confusion is still the most common way JWTs fail.

Jul 10, 20266 min read
Application Security

Securing gRPC APIs: mTLS, Interceptors, and Input Validation

CVE-2023-44487 knocked grpc-go services offline with a Rapid Reset flood — a reminder that gRPC ships fast, insecure by default, and needs hardening at every layer.

Jul 10, 20266 min read
Application Security

Where should your SPA store auth tokens?

OWASP has warned against localStorage tokens for years, yet it remains the default in countless SPA tutorials — one XSS bug is all it takes to exfiltrate every session.

Jul 10, 20266 min read
Application Security

Symbolic Reasoning vs. LLMs: Which Static Analysis Actually Finds Bugs?

The CASTLE benchmark tested 13 static analyzers and 10 LLMs on 250 programs — neither approach won outright, and the reasons why matter for your AppSec stack.

Jul 10, 20266 min read
Application Security

AI-driven DAST for modern applications

73% of open-source developers now use AI coding tools. Dynamic testing built for nightly crawls can't keep pace with apps that reshape their attack surface daily.

Jul 9, 20267 min read
Application Security

Inside CVE-2025-55182: the React Server Components RCE and how to defend against it

A CVSS 10.0 pre-auth RCE in React Server Components, exploited within 48 hours of disclosure — how the deserialization flaw works and how to mitigate it.

Jul 9, 20266 min read
Application Security (Page 6) — Supply Chain Security Blog | Safeguard