AppSec
In-depth guides and analysis on appsec from the Safeguard engineering team.
114 articles
Apache Tomcat and Coyote Connector Vulnerabilities Explained
Apache tomcat vulnerabilities keep surfacing because Tomcat sits directly in the request path of so many Java applications; here is what the Coyote connector does and which vulnerability classes recur most.
OWASP ZAP as a DAST Tool: Getting Started
OWASP ZAP DAST scanning is free, mature, and a genuinely solid starting point — here's how to run your first zap scan and what to expect once you scale past it.
Static vs Dynamic Code Analysis: The Real Tradeoffs
Static analysis reads code without running it; dynamic analysis watches an application behave — the real question isn't which is better, it's which gap each one leaves open.
How to Run a Website Security Check (Free and Paid Methods)
A step-by-step website security check using free tools and paid platforms, from a quick URL scanner pass to authenticated scans and dependency analysis.
Security Plugins for CMS and App Platforms: What They Actually Do
A security plugin can harden a CMS meaningfully, but it can't fix a vulnerable core install or a poorly coded theme — it's a layer, not a replacement for patching.
Blind SQL Injection: A Practical Cheat Sheet
This blind sql injection cheat sheet covers how boolean-based and time-based blind attacks actually work, why they succeed against apps with no visible error output, and how to close them off.
Application Layer Security: What It Covers (and What It Doesn't)
Application layer security protects the code, logic, and APIs at the top of the OSI stack, but it's easy to confuse it with network or infrastructure security controls that solve a different problem.
Application Vulnerability Testing Methods, Compared
Application vulnerability testing spans static analysis, dynamic testing, dependency scanning, and manual review — each catches a different slice of application security vulnerabilities, and none covers all of them alone.
Spring Framework RCE Vulnerabilities: A History
From Spring4Shell to older data binding flaws, Spring framework RCE bugs keep resurfacing in the same handful of places — data binding, expression evaluation, and class loading.
API Security Scanning: What Good Tools Actually Catch
API security scanning explained in terms of the specific failure classes it catches, from broken object-level authorization to shadow endpoints, and why generic web scanners miss most of them.
Application Vulnerability Assessment: Scope, Method, and Reporting
Most assessment reports die unread because scope was fuzzy and findings were not verified. A working method for assessments that end in shipped fixes.
Code Scanning Tools: SAST, Secrets, and Linters Compared
SAST tools, secret scanners, and linters all read your source code but catch entirely different classes of problems — here's how to tell them apart and stack them correctly.