AppSec
In-depth guides and analysis on appsec from the Safeguard engineering team.
114 articles
Mobile Security Testing for iOS and Android Apps
Mobile apps fail in ways web apps don't — insecure local storage, weak certificate pinning, reverse-engineerable binaries — and testing them requires methods most web-focused AppSec programs never built.
SAST, DAST, and IAST: The Three Application Testing Types
SAST DAST IAST are three distinct testing approaches that catch different bug classes at different stages — here's how each actually works and when to run which.
An OWASP-Aligned Secure Code Review Checklist
OWASP's secure code review guidance gives structure to what could otherwise be an unfocused read-through — here's a practical checklist built around it.
PHP 7.3 to 7.4 Version Vulnerabilities: A Security Changelog
PHP 7.4 vulnerabilities span years of unsupported point releases; here is what changed security-wise across the 7.3 and 7.4 lines and why staying on either branch today is a standing risk.
Use-After-Free Vulnerabilities: How They're Exploited
A use-after-free exploit turns a dangling pointer into arbitrary code execution — here's how the bug class works, why it still dominates browser and kernel CVEs, and how to catch it before release.
Eclipse Jetty Vulnerabilities: What to Patch and When
Jetty's HTTP/2 handling and older 9.4.x branches have carried real denial-of-service and information-disclosure CVEs — here's what a jetty 9.4.41 exploit actually looks like and which versions close it.
Reading a Scan Report: What Actually Matters
Most scan reports bury the three fields that decide whether a finding needs action today — this is how to read one without drowning in noise.
Finding Vulnerabilities in Source Code: A Practical Method
A concrete, repeatable method for finding vulnerabilities in source code — combining static analysis, dependency scanning, and manual review without drowning your team in false positives.
Free Website Vulnerability Scanners: What You Actually Get
Free scanners catch the obvious stuff — missing headers, expired TLS, a handful of known CVEs — but they stop well short of what a real security program needs.
Application Vulnerability Management: Program Basics
A working definition of application vulnerability management and the five program elements that separate a real practice from a pile of scanner tickets.
What Is the NVD (National Vulnerability Database)?
The NVD is the U.S. government's repository of analyzed vulnerability data, built on top of the CVE program — here's what it actually adds, how CVE and NVD relate, and where its data comes from.
Static Source Code Analysis Tools: A Practical Guide
A practical walkthrough of what static source code analysis tools actually check, where they miss, and how to pick one without buying a shelf-ware scanner.