Safeguard
Topic

AppSec

In-depth guides and analysis on appsec from the Safeguard engineering team.

114 articles

AppSec

Apache Tomcat and Coyote Connector Vulnerabilities Explained

Apache tomcat vulnerabilities keep surfacing because Tomcat sits directly in the request path of so many Java applications; here is what the Coyote connector does and which vulnerability classes recur most.

Aug 8, 20256 min read
AppSec

OWASP ZAP as a DAST Tool: Getting Started

OWASP ZAP DAST scanning is free, mature, and a genuinely solid starting point — here's how to run your first zap scan and what to expect once you scale past it.

Jul 30, 20255 min read
AppSec

Static vs Dynamic Code Analysis: The Real Tradeoffs

Static analysis reads code without running it; dynamic analysis watches an application behave — the real question isn't which is better, it's which gap each one leaves open.

Jul 30, 20256 min read
AppSec

How to Run a Website Security Check (Free and Paid Methods)

A step-by-step website security check using free tools and paid platforms, from a quick URL scanner pass to authenticated scans and dependency analysis.

Jul 29, 20256 min read
AppSec

Security Plugins for CMS and App Platforms: What They Actually Do

A security plugin can harden a CMS meaningfully, but it can't fix a vulnerable core install or a poorly coded theme — it's a layer, not a replacement for patching.

Jun 30, 20255 min read
AppSec

Blind SQL Injection: A Practical Cheat Sheet

This blind sql injection cheat sheet covers how boolean-based and time-based blind attacks actually work, why they succeed against apps with no visible error output, and how to close them off.

Jun 27, 20256 min read
AppSec

Application Layer Security: What It Covers (and What It Doesn't)

Application layer security protects the code, logic, and APIs at the top of the OSI stack, but it's easy to confuse it with network or infrastructure security controls that solve a different problem.

Jun 25, 20255 min read
AppSec

Application Vulnerability Testing Methods, Compared

Application vulnerability testing spans static analysis, dynamic testing, dependency scanning, and manual review — each catches a different slice of application security vulnerabilities, and none covers all of them alone.

Jun 25, 20256 min read
AppSec

Spring Framework RCE Vulnerabilities: A History

From Spring4Shell to older data binding flaws, Spring framework RCE bugs keep resurfacing in the same handful of places — data binding, expression evaluation, and class loading.

Jun 24, 20256 min read
AppSec

API Security Scanning: What Good Tools Actually Catch

API security scanning explained in terms of the specific failure classes it catches, from broken object-level authorization to shadow endpoints, and why generic web scanners miss most of them.

Jun 24, 20255 min read
AppSec

Application Vulnerability Assessment: Scope, Method, and Reporting

Most assessment reports die unread because scope was fuzzy and findings were not verified. A working method for assessments that end in shipped fixes.

Jun 24, 20255 min read
AppSec

Code Scanning Tools: SAST, Secrets, and Linters Compared

SAST tools, secret scanners, and linters all read your source code but catch entirely different classes of problems — here's how to tell them apart and stack them correctly.

Jun 24, 20255 min read
AppSec (Page 5) — Supply Chain Security Blog | Safeguard