AppSec
In-depth guides and analysis on appsec from the Safeguard engineering team.
114 articles
Code Security Review: Manual vs Automated, and Where They Meet
Code security review works best as a combination, not a choice — here's what automated scanning catches, what still needs a human reviewer, and how to structure both.
Website Scanners, Web Scanners, and URL Scanners: What's the Difference
Website scanner, web scanner, and URL scanner are often used interchangeably, but they can mean very different depth of analysis depending on the vendor. Here's how to tell them apart.
Bootstrapping a Secure Website Scan Workflow on a Budget
A small team can build a real scanning habit with zero budget — the trick is turning one-off checks into a repeatable workflow before traffic (and risk) grows.
Unrestricted File Upload Vulnerabilities: Risks and Fixes
An unrestricted file upload vulnerability lets an attacker place a working web shell on your server through a form that was only ever supposed to accept profile pictures or PDFs.
IAST Security: Interactive Application Security Testing Explained
IAST security instruments a running application to watch real requests flow through real code, catching vulnerabilities that static analysis and black-box scanning both miss.
CVE-2023-4863: The libwebp Zero-Day That Hit Chrome and More
CVE-2023-4863 was a heap buffer overflow in libwebp's Huffman decoding that was exploited as a zero-day in the wild — and because libwebp sits inside Chrome, Firefox, and countless Electron apps, one library bug became an ecosystem-wide emergency patch.
SAST Meaning and Full Form: Static Application Security Testing Explained
SAST stands for Static Application Security Testing — analyzing source code for vulnerabilities without running it. Here is what the term means, how it works, and where it fits alongside DAST and SCA.
Software Security Testing: A Practitioner's Overview
Software security testing spans static analysis, dynamic testing, dependency scanning, and manual review — a practical map of which method catches what, written for people who actually run these programs.
SAST Full Form and What It Actually Tests
SAST stands for static application security testing — analyzing source code without running it. Here's exactly what it catches, what it misses, and how it fits a pipeline.
Security Testing for Data Pipelines: A Practical Guide
Data pipelines ingest, transform, and move sensitive information across systems. Here is how to identify and address the security risks that traditional application testing misses.
What Is AppSec, and Who Owns It on a Modern Team?
AppSec covers every security decision made about how software is designed, built, and shipped — but ownership is more distributed than most org charts admit.
What Does SAST Stand For, Exactly?
SAST stands for static application security testing — analyzing source code for vulnerabilities without ever running the program, which is what separates it from every dynamic testing approach.