Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
Reducing false positives in SAST and SCA tools
NIST benchmark data puts some SAST false-positive rates near 78%. Reachability analysis and contextual triage are how teams cut that noise without missing real risk.
A methodology for testing SPAs for client-side vulnerabilities
DOM XSS, token storage, and API exposure don't show up in a server-side scan — here's a repeatable methodology for testing React, Vue, and Angular apps.
AI code review: what it actually catches versus misses
GitClear's 211M-line study found copy-pasted code rose from 8.3% to 12.3% of changes from 2020 to 2024 — even as AI reviewers flag more comments, the defects that matter most still slip through.
How AI-powered SAST auto-fix engines actually work
GitHub says Copilot Autofix resolves two-thirds of flagged vulnerabilities with little editing; Snyk claims 80% fix accuracy. Here's the pipeline behind both numbers.
ASPM fundamentals: what application security posture management actually aggregates
Gartner coined the ASPM term in May 2023 and projects over 40% of organizations building software will adopt it by 2026 — here is what it actually does.
A practical AppSec maturity model: five stages, self-assessment included
OWASP SAMM v2 scores 15 practices on a 0–3 scale; BSIMM15 measured 121 firms and found SCA adoption up 67%. Here's a five-stage model to self-assess against.
What to Evaluate in an ASPM Solution: A 2026 Buyer's Guide
Gartner named Application Security Posture Management a category in May 2023 — three years later, most RFPs still can't distinguish a real ASPM from a dashboard bolted onto old scanners.
ASPM fundamentals for security teams
Gartner projects over 40% of organizations will adopt Application Security Posture Management by 2026 — here's what it actually aggregates and how to judge if yours is working.
A framework for integrating ASPM into an existing AppSec program
Gartner defined ASPM in May 2023 as a correlation layer, not a rip-and-replace — here's how to fold it into a toolchain you already run.
Why asset inventory should come before AppSec tooling
Only 17% of organizations can inventory 95%+ of their assets, and 69% have been breached through one they didn't know existed — start with the map, not the scanner.
Beyond vulnerability management: a risk-based approach to AppSec
Fewer than 5% of published CVEs are ever exploited in the wild, yet most teams still triage by raw count — here's the exploitability-first alternative.
Broken access control in Express: the OWASP #1 risk, fixed with middleware
Broken access control now shows up in 100% of tested applications, per OWASP's 2025 Top 10 — up from 94% in 2021. Here's how to close it in Express.