AppSec
In-depth guides and analysis on appsec from the Safeguard engineering team.
114 articles
Application Security Testing Tools: SAST, DAST, IAST, and SCA Compared
Four scanner families see four different slices of your risk. What SAST, DAST, IAST, and SCA each catch and miss, and how to sequence them in CI without drowning developers.
DAST Tools for DevSecOps Teams
The best DAST tools for DevSecOps teams run inside CI/CD rather than as a separate pre-launch step, and Gartner's own analysis of the DAST market backs that shift as the defining trend.
The OWASP API Security Top 10: Each Risk Explained
The OWASP API Top 10 is a ranked list of the most common API-specific vulnerability classes, from broken object level authorization to unsafe consumption of third-party APIs.
DAST Testing: How Dynamic Scans Probe Running Applications
DAST testing attacks your app the way an outsider would — no source code, just HTTP requests against a running target. Here is how the scan works, what it catches that SAST misses, and where it falls short.
Web Session Security: A Practical Guide
Web session security is the set of controls that keep a logged-in user's session token from being stolen, guessed, or reused by an attacker — and most of it comes down to a handful of cookie flags and lifecycle rules teams routinely skip.
Application Security Vulnerability Management: A Working Workflow
A concrete workflow for application security vulnerability management, from scan to fix to verified close, that survives contact with a real release calendar.
Scanning a Website for Vulnerabilities, Step by Step
A practical walkthrough of how to scan a website for vulnerabilities — from picking a scan target and authentication mode to reading the results without drowning in false positives.
Serialization vs. Deserialization in Java: Security Implications
The difference between serialization and deserialization in Java is simple to state and dangerous to get wrong — deserialization of untrusted data has caused some of the highest-severity Java CVEs of the last decade.
Encryption Algorithms in Java: A Practical Overview
Java ships a wide menu of encryption algorithms through its Java Cryptography Architecture, but picking the wrong mode or a deprecated cipher is one of the most common security findings in Java codebases.
Open Redirect Vulnerabilities: How Attackers Abuse Them
An open redirect attack abuses a trusted domain's own redirect functionality to send victims to a malicious site — low severity on its own, but a key ingredient in phishing and OAuth token theft.
Buffer Overflow Exploits: A Practical Example
A buffer overflow exploit example, walked through step by step, showing exactly how writing past the end of a fixed-size buffer can turn a simple C function into arbitrary code execution.
Open Source SAST Tools Worth Evaluating
A rundown of the open source SAST tools engineering teams actually use in production, and where each one runs out of road.