AppSec
In-depth guides and analysis on appsec from the Safeguard engineering team.
114 articles
API Scanner Tools: What to Look For
An API scanner tool needs to do more than replay a Postman collection against your endpoints. Here's what actually separates a useful API scanner from one that generates noise.
Source Code Analysis Tools: SAST, Linters, and Semantic Engines
Not all source code analysis tools do the same job. Linters, pattern-based SAST, and semantic dataflow engines catch different bug classes, and mixing them up wastes budget.
Encryption and Decryption in Python: A Practical Guide
Encryption in Python is easy to get working and surprisingly easy to get wrong — here's how to do symmetric and asymmetric encryption correctly using the cryptography library instead of rolling your own.
The OWASP Top 10 API Security Risks, Explained
The OWASP Top 10 API Security Risks reorder the classic web vulnerability list around how APIs actually get broken — object-level authorization failures beat injection as the most common real-world root cause.
Reading a SAST Report: Findings, Traces, and Triage
A SAST report is a list of claims, not a list of bugs. How to read data-flow traces, judge severity honestly, and run a triage workflow that keeps the queue moving.
Webhooks Security: A Practical Checklist
Webhooks security is easy to get wrong because the endpoint has to trust an unauthenticated inbound request by default — here's the checklist that closes the common gaps.
XStream Deserialization Vulnerabilities: What You Need to Know
XStream, the popular Java XML serialization library, has a long history of deserialization vulnerabilities that lead to remote code execution when it processes untrusted input — here's what changed and how to fix it.
DAST Scanners: How to Choose One for Your Stack
A DAST scanner tests a running app the way an attacker would — but the options range from free crawlers to full authenticated-flow platforms. Here's how to pick.
DAST Software: Choosing a Dynamic Scanner for Your Stack
The right DAST software depends less on brand name and more on whether it can authenticate into your app and understand your API's actual shape.
Mobile Application Security Assessment: How It's Actually Done
What a mobile application security assessment actually involves, from static binary analysis through dynamic testing on real devices, and where it differs from a web app pen test.
Source Code Security Scanning Programs That Scale
A source code security scanning program that works for 20 repos usually breaks at 200 — here's how to design one that scales with the number of teams, not just the number of scans.
Dynamic Application Security Testing Tools, Compared
Dynamic application security testing tools test running applications the way an attacker would, but they differ sharply on API coverage, auth handling, and CI integration — here's how to tell them apart.