Safeguard
Topic

AppSec

In-depth guides and analysis on appsec from the Safeguard engineering team.

114 articles

AppSec

Mobile Security Testing for iOS and Android Apps

Mobile apps fail in ways web apps don't — insecure local storage, weak certificate pinning, reverse-engineerable binaries — and testing them requires methods most web-focused AppSec programs never built.

Apr 9, 20256 min read
AppSec

SAST, DAST, and IAST: The Three Application Testing Types

SAST DAST IAST are three distinct testing approaches that catch different bug classes at different stages — here's how each actually works and when to run which.

Apr 2, 20255 min read
AppSec

An OWASP-Aligned Secure Code Review Checklist

OWASP's secure code review guidance gives structure to what could otherwise be an unfocused read-through — here's a practical checklist built around it.

Mar 24, 20255 min read
AppSec

PHP 7.3 to 7.4 Version Vulnerabilities: A Security Changelog

PHP 7.4 vulnerabilities span years of unsupported point releases; here is what changed security-wise across the 7.3 and 7.4 lines and why staying on either branch today is a standing risk.

Mar 19, 20256 min read
AppSec

Use-After-Free Vulnerabilities: How They're Exploited

A use-after-free exploit turns a dangling pointer into arbitrary code execution — here's how the bug class works, why it still dominates browser and kernel CVEs, and how to catch it before release.

Mar 18, 20256 min read
AppSec

Eclipse Jetty Vulnerabilities: What to Patch and When

Jetty's HTTP/2 handling and older 9.4.x branches have carried real denial-of-service and information-disclosure CVEs — here's what a jetty 9.4.41 exploit actually looks like and which versions close it.

Mar 18, 20256 min read
AppSec

Reading a Scan Report: What Actually Matters

Most scan reports bury the three fields that decide whether a finding needs action today — this is how to read one without drowning in noise.

Mar 18, 20255 min read
AppSec

Finding Vulnerabilities in Source Code: A Practical Method

A concrete, repeatable method for finding vulnerabilities in source code — combining static analysis, dependency scanning, and manual review without drowning your team in false positives.

Mar 14, 20257 min read
AppSec

Free Website Vulnerability Scanners: What You Actually Get

Free scanners catch the obvious stuff — missing headers, expired TLS, a handful of known CVEs — but they stop well short of what a real security program needs.

Mar 14, 20255 min read
AppSec

Application Vulnerability Management: Program Basics

A working definition of application vulnerability management and the five program elements that separate a real practice from a pile of scanner tickets.

Mar 11, 20256 min read
AppSec

What Is the NVD (National Vulnerability Database)?

The NVD is the U.S. government's repository of analyzed vulnerability data, built on top of the CVE program — here's what it actually adds, how CVE and NVD relate, and where its data comes from.

Mar 11, 20256 min read
AppSec

Static Source Code Analysis Tools: A Practical Guide

A practical walkthrough of what static source code analysis tools actually check, where they miss, and how to pick one without buying a shelf-ware scanner.

Mar 11, 20256 min read
AppSec (Page 8) — Supply Chain Security Blog | Safeguard