Safeguard
Topic

AppSec

In-depth guides and analysis on appsec from the Safeguard engineering team.

114 articles

AppSec

API Scanner Tools: What to Look For

An API scanner tool needs to do more than replay a Postman collection against your endpoints. Here's what actually separates a useful API scanner from one that generates noise.

Sep 17, 20255 min read
AppSec

Source Code Analysis Tools: SAST, Linters, and Semantic Engines

Not all source code analysis tools do the same job. Linters, pattern-based SAST, and semantic dataflow engines catch different bug classes, and mixing them up wastes budget.

Sep 16, 20256 min read
AppSec

Encryption and Decryption in Python: A Practical Guide

Encryption in Python is easy to get working and surprisingly easy to get wrong — here's how to do symmetric and asymmetric encryption correctly using the cryptography library instead of rolling your own.

Sep 16, 20256 min read
AppSec

The OWASP Top 10 API Security Risks, Explained

The OWASP Top 10 API Security Risks reorder the classic web vulnerability list around how APIs actually get broken — object-level authorization failures beat injection as the most common real-world root cause.

Sep 9, 20256 min read
AppSec

Reading a SAST Report: Findings, Traces, and Triage

A SAST report is a list of claims, not a list of bugs. How to read data-flow traces, judge severity honestly, and run a triage workflow that keeps the queue moving.

Sep 9, 20256 min read
AppSec

Webhooks Security: A Practical Checklist

Webhooks security is easy to get wrong because the endpoint has to trust an unauthenticated inbound request by default — here's the checklist that closes the common gaps.

Aug 22, 20255 min read
AppSec

XStream Deserialization Vulnerabilities: What You Need to Know

XStream, the popular Java XML serialization library, has a long history of deserialization vulnerabilities that lead to remote code execution when it processes untrusted input — here's what changed and how to fix it.

Aug 21, 20256 min read
AppSec

DAST Scanners: How to Choose One for Your Stack

A DAST scanner tests a running app the way an attacker would — but the options range from free crawlers to full authenticated-flow platforms. Here's how to pick.

Aug 19, 20254 min read
AppSec

DAST Software: Choosing a Dynamic Scanner for Your Stack

The right DAST software depends less on brand name and more on whether it can authenticate into your app and understand your API's actual shape.

Aug 19, 20256 min read
AppSec

Mobile Application Security Assessment: How It's Actually Done

What a mobile application security assessment actually involves, from static binary analysis through dynamic testing on real devices, and where it differs from a web app pen test.

Aug 19, 20255 min read
AppSec

Source Code Security Scanning Programs That Scale

A source code security scanning program that works for 20 repos usually breaks at 200 — here's how to design one that scales with the number of teams, not just the number of scans.

Aug 19, 20256 min read
AppSec

Dynamic Application Security Testing Tools, Compared

Dynamic application security testing tools test running applications the way an attacker would, but they differ sharply on API coverage, auth handling, and CI integration — here's how to tell them apart.

Aug 14, 20254 min read
AppSec (Page 4) — Supply Chain Security Blog | Safeguard