AppSec
In-depth guides and analysis on appsec from the Safeguard engineering team.
114 articles
Code Injection in Python: How It Happens and How to Prevent It
Code injection python vulnerabilities almost always trace back to eval, exec, or a template engine handed untrusted input; here is how the attack works and how to close it off.
Static Code Analysis in Cyber Security: What It Actually Does
Static code analysis in cyber security means scanning source code without running it to catch injection flaws, hardcoded secrets, and unsafe patterns before they ship — here's what it catches and what it misses.
Website Vulnerability Scanners: How They Work and What They Miss
How a website vulnerability scanner crawls, fuzzes, and fingerprints your app, plus the whole classes of flaws it structurally cannot find on its own.
Web Application Penetration Testing: What to Expect
A real web application penetration test follows a scoped, multi-phase process — here's what happens before, during, and after the engagement so the report doesn't surprise you.
JavaScript Vulnerability Scanners: How They Actually Work
A javascript vulnerability scanner has to reason about a dynamically typed, dependency-heavy language — which is why the good ones combine static analysis with dependency-graph lookups rather than relying on either alone.
Free Web Security Scanners: What to Expect From the Free Tier
What a free web security scanner will and won't catch, how the free tiers of popular tools are actually limited, and when you need to pay for real coverage.
Static Code Analysis Tools: The Open Source Options
Static code analysis tools open source teams actually use — Semgrep, CodeQL, Bandit, ESLint security plugins — and where each one's coverage runs out.
SAST vs DAST: When to Use Each (and Why Not Either/Or)
SAST and DAST test different layers of an application at different stages of the pipeline — the real question isn't which to pick, it's how to run both without duplicating effort.
LDAP Injection Attacks: How They Work and How to Prevent Them
LDAP injection lets an attacker manipulate directory-service queries by inserting special filter characters into user input, often bypassing authentication entirely — here's how the attack works and how to stop it.
What Is vm2? The Node.js Sandbox and Its Security History
vm2 was the most popular way to run untrusted JavaScript inside Node.js — until a string of sandbox-escape CVEs and its 2023 deprecation showed why sandboxing a dynamic language is so hard to get right.
AppSec Vulnerability Management: A Workflow Guide
A step-by-step appsec vulnerability management workflow for teams drowning in scanner output — from intake and triage through prioritization, remediation, and verification.
Secure Code Review: A Practical Checklist
Secure code reviews catch a different category of bug than functional code review, and having a repeatable checklist keeps reviewers from relying on memory for the same handful of recurring flaws.