Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
Hardening HTTP/2 against protocol-level DoS attacks
HTTP/2 Rapid Reset hit Google with 398 million requests per second in 2023 — a single protocol quirk, not a bug in any one server, drove the largest DDoS ever disclosed.
Identifying memory safety bugs with Valgrind
Valgrind's Memcheck catches use-after-free, leaks, and buffer overruns in unmodified C binaries — at the cost of running your program 10-50x slower.
Bytecode vs. source analysis: static analysis techniques for Java and Kotlin
SpotBugs scans compiled .class files for 400+ bug patterns; Semgrep parses source directly. Neither alone would have caught CVE-2015-7501 fast enough.
Java SecurityManager is gone: a practical migration guide
JEP 411 deprecated the Security Manager in JDK 17; JEP 486 disabled it outright in JDK 24, released March 18, 2025. Here's how to migrate before it's removed for good.
Wiring dependency and SAST scanning into your JavaScript CLI workflow
npm audit has shipped for free since npm 6 in 2018, yet most JavaScript teams still find out about vulnerable dependencies in a Slack alert, not a failed commit.
Secure JWT handling: algorithm confusion, expiry, and storage done right
A single unchecked `alg` header turned jsonwebtoken into a forgeable token in CVE-2015-9235 — here's how to close every hole RFC 8725 warns about.
LDAP injection: a technical primer and defense guide
LDAP injection is CWE-90, dates to the same root cause as SQL injection, and still shipped in production software as recently as CVE-2023-0476.
The security cost of long-lived HTTP connections
Keep-alive and HTTP/2 multiplexing cut handshake overhead but hold server resources open per connection — Slowloris and 2023's Rapid Reset attacks both exploited exactly that tradeoff.
The Security Implications of Misconfigured CORS in Node.js APIs
One line of Express middleware — reflecting Origin back with credentials: true — turns CORS from a browser protection into an authenticated data-exfiltration channel.
CSRF in Node.js: attack mechanics and modern mitigation
Express has never shipped CSRF protection in core, and its most popular middleware, csurf, was archived in 2022 — here's what actually replaces it.
Node.js vs Deno vs Bun: comparing their security models
Only one of the three major JavaScript runtimes denies system access by default — Node's permission model only went stable in v23.5.0, and Bun still has none.
When Node.js sandboxing stops at the C++ boundary
Node's permission model can block a native addon from loading at all — but once it's in, a single buffer overflow in C++ can corrupt the whole process.