Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

Hardening HTTP/2 against protocol-level DoS attacks

HTTP/2 Rapid Reset hit Google with 398 million requests per second in 2023 — a single protocol quirk, not a bug in any one server, drove the largest DDoS ever disclosed.

Jul 8, 20266 min read
Application Security

Identifying memory safety bugs with Valgrind

Valgrind's Memcheck catches use-after-free, leaks, and buffer overruns in unmodified C binaries — at the cost of running your program 10-50x slower.

Jul 8, 20266 min read
Application Security

Bytecode vs. source analysis: static analysis techniques for Java and Kotlin

SpotBugs scans compiled .class files for 400+ bug patterns; Semgrep parses source directly. Neither alone would have caught CVE-2015-7501 fast enough.

Jul 8, 20265 min read
Application Security

Java SecurityManager is gone: a practical migration guide

JEP 411 deprecated the Security Manager in JDK 17; JEP 486 disabled it outright in JDK 24, released March 18, 2025. Here's how to migrate before it's removed for good.

Jul 8, 20267 min read
Application Security

Wiring dependency and SAST scanning into your JavaScript CLI workflow

npm audit has shipped for free since npm 6 in 2018, yet most JavaScript teams still find out about vulnerable dependencies in a Slack alert, not a failed commit.

Jul 8, 20267 min read
Application Security

Secure JWT handling: algorithm confusion, expiry, and storage done right

A single unchecked `alg` header turned jsonwebtoken into a forgeable token in CVE-2015-9235 — here's how to close every hole RFC 8725 warns about.

Jul 8, 20266 min read
Application Security

LDAP injection: a technical primer and defense guide

LDAP injection is CWE-90, dates to the same root cause as SQL injection, and still shipped in production software as recently as CVE-2023-0476.

Jul 8, 20266 min read
Application Security

The security cost of long-lived HTTP connections

Keep-alive and HTTP/2 multiplexing cut handshake overhead but hold server resources open per connection — Slowloris and 2023's Rapid Reset attacks both exploited exactly that tradeoff.

Jul 8, 20266 min read
Application Security

The Security Implications of Misconfigured CORS in Node.js APIs

One line of Express middleware — reflecting Origin back with credentials: true — turns CORS from a browser protection into an authenticated data-exfiltration channel.

Jul 8, 20266 min read
Application Security

CSRF in Node.js: attack mechanics and modern mitigation

Express has never shipped CSRF protection in core, and its most popular middleware, csurf, was archived in 2022 — here's what actually replaces it.

Jul 8, 20267 min read
Application Security

Node.js vs Deno vs Bun: comparing their security models

Only one of the three major JavaScript runtimes denies system access by default — Node's permission model only went stable in v23.5.0, and Bun still has none.

Jul 8, 20266 min read
Application Security

When Node.js sandboxing stops at the C++ boundary

Node's permission model can block a native addon from loading at all — but once it's in, a single buffer overflow in C++ can corrupt the whole process.

Jul 8, 20267 min read
Application Security (Page 9) — Supply Chain Security Blog | Safeguard