Safeguard
Topic

Best Practices

In-depth guides and analysis on best practices from the Safeguard engineering team.

252 articles

Best Practices

Defense-in-depth for a modern cloud-native application stack

Log4Shell and the XZ backdoor were caught two different ways — one by patching, one by a developer noticing 500ms of extra SSH latency. Neither alone is a strategy.

Jul 8, 20266 min read
Best Practices

The four pillars every enterprise security program needs

Identity, patching, segmentation, and logging aren't a checklist — they're the four controls that determine whether a breach stays contained or becomes Log4Shell.

Jul 8, 20266 min read
Best Practices

Ethical hacking techniques, mapped to a responsible disclosure workflow

Recon, enumeration, exploitation, and privilege escalation aren't just attacker steps — Log4Shell's 15-day gap between private report and public exploit shows why each maps to a disclosure decision.

Jul 8, 20266 min read
Best Practices

Installing and Verifying Java on macOS Securely

A SHA-256 checksum only proves a JDK download wasn't corrupted in transit — it takes a GPG signature check to prove it actually came from the vendor you trust.

Jul 8, 20266 min read
Best Practices

Defensive Java: coding patterns that stop NullPointerExceptions from becoming outages

NPE has been Java's most common runtime exception since JDK 1.0 in 1996 — Optional, JSpecify annotations, and static analysis can turn most of them into compile-time errors.

Jul 8, 20267 min read
Best Practices

Getting AES right in Java: JCA/JCE mistakes that break your encryption

Call `Cipher.getInstance("AES")` in Java and you silently get ECB mode — no warning, no error, just plaintext patterns leaking through.

Jul 8, 20267 min read
Best Practices

Node.js backend architecture patterns for 2026

Node 22 shipped a stable permission model and npm has supported provenance since 2023 — yet the September 2025 Shai-Hulud worm still spread through unpinned installs.

Jul 8, 20267 min read
Best Practices

Open-source penetration testing tools: a comparison guide

Nine open-source pentest tools, one decision problem: Nmap finds hosts, Metasploit exploits them, but neither replaces the other. Here's when to reach for each.

Jul 8, 20267 min read
Best Practices

Symmetric vs asymmetric file encryption in Python, done correctly

AES-GCM needs a unique 96-bit nonce every single time — reuse one under the same key and GCM's authentication guarantee collapses entirely, not just confidentiality.

Jul 8, 20267 min read
Best Practices

The complete workflow for finding and remediating hardcoded secrets in GitHub

GitGuardian found 12.8 million secrets leaked on public GitHub in 2023 alone, and over 90% were still valid five days later. Here's the fix workflow that actually closes the gap.

Jul 8, 20268 min read
Best Practices

Secrets detection to prevent data breaches

GitGuardian found 12.8 million new secrets exposed on public GitHub in 2023, up 28% year over year — and most of them stayed live for days after leaking.

Jul 8, 20268 min read
Best Practices

Parameterized queries across languages: the real defense against SQL injection

SQL injection (CWE-89) still ranks #3 on the OWASP Top 10, but every major language has shipped a native, built-in fix for over a decade — most breaches happen anyway.

Jul 8, 20267 min read
Best Practices (Page 3) — Supply Chain Security Blog | Safeguard