Safeguard
Topic

AppSec

In-depth guides and analysis on appsec from the Safeguard engineering team.

114 articles

AppSec

Code Injection in Python: How It Happens and How to Prevent It

Code injection python vulnerabilities almost always trace back to eval, exec, or a template engine handed untrusted input; here is how the attack works and how to close it off.

May 14, 20256 min read
AppSec

Static Code Analysis in Cyber Security: What It Actually Does

Static code analysis in cyber security means scanning source code without running it to catch injection flaws, hardcoded secrets, and unsafe patterns before they ship — here's what it catches and what it misses.

May 14, 20255 min read
AppSec

Website Vulnerability Scanners: How They Work and What They Miss

How a website vulnerability scanner crawls, fuzzes, and fingerprints your app, plus the whole classes of flaws it structurally cannot find on its own.

May 13, 20256 min read
AppSec

Web Application Penetration Testing: What to Expect

A real web application penetration test follows a scoped, multi-phase process — here's what happens before, during, and after the engagement so the report doesn't surprise you.

May 9, 20255 min read
AppSec

JavaScript Vulnerability Scanners: How They Actually Work

A javascript vulnerability scanner has to reason about a dynamically typed, dependency-heavy language — which is why the good ones combine static analysis with dependency-graph lookups rather than relying on either alone.

May 6, 20255 min read
AppSec

Free Web Security Scanners: What to Expect From the Free Tier

What a free web security scanner will and won't catch, how the free tiers of popular tools are actually limited, and when you need to pay for real coverage.

May 2, 20255 min read
AppSec

Static Code Analysis Tools: The Open Source Options

Static code analysis tools open source teams actually use — Semgrep, CodeQL, Bandit, ESLint security plugins — and where each one's coverage runs out.

Apr 17, 20255 min read
AppSec

SAST vs DAST: When to Use Each (and Why Not Either/Or)

SAST and DAST test different layers of an application at different stages of the pipeline — the real question isn't which to pick, it's how to run both without duplicating effort.

Apr 16, 20255 min read
AppSec

LDAP Injection Attacks: How They Work and How to Prevent Them

LDAP injection lets an attacker manipulate directory-service queries by inserting special filter characters into user input, often bypassing authentication entirely — here's how the attack works and how to stop it.

Apr 14, 20256 min read
AppSec

What Is vm2? The Node.js Sandbox and Its Security History

vm2 was the most popular way to run untrusted JavaScript inside Node.js — until a string of sandbox-escape CVEs and its 2023 deprecation showed why sandboxing a dynamic language is so hard to get right.

Apr 14, 20256 min read
AppSec

AppSec Vulnerability Management: A Workflow Guide

A step-by-step appsec vulnerability management workflow for teams drowning in scanner output — from intake and triage through prioritization, remediation, and verification.

Apr 9, 20255 min read
AppSec

Secure Code Review: A Practical Checklist

Secure code reviews catch a different category of bug than functional code review, and having a repeatable checklist keeps reviewers from relying on memory for the same handful of recurring flaws.

Apr 9, 20255 min read
AppSec (Page 7) — Supply Chain Security Blog | Safeguard