Best Practices
In-depth guides and analysis on best practices from the Safeguard engineering team.
252 articles
Defense-in-depth for a modern cloud-native application stack
Log4Shell and the XZ backdoor were caught two different ways — one by patching, one by a developer noticing 500ms of extra SSH latency. Neither alone is a strategy.
The four pillars every enterprise security program needs
Identity, patching, segmentation, and logging aren't a checklist — they're the four controls that determine whether a breach stays contained or becomes Log4Shell.
Ethical hacking techniques, mapped to a responsible disclosure workflow
Recon, enumeration, exploitation, and privilege escalation aren't just attacker steps — Log4Shell's 15-day gap between private report and public exploit shows why each maps to a disclosure decision.
Installing and Verifying Java on macOS Securely
A SHA-256 checksum only proves a JDK download wasn't corrupted in transit — it takes a GPG signature check to prove it actually came from the vendor you trust.
Defensive Java: coding patterns that stop NullPointerExceptions from becoming outages
NPE has been Java's most common runtime exception since JDK 1.0 in 1996 — Optional, JSpecify annotations, and static analysis can turn most of them into compile-time errors.
Getting AES right in Java: JCA/JCE mistakes that break your encryption
Call `Cipher.getInstance("AES")` in Java and you silently get ECB mode — no warning, no error, just plaintext patterns leaking through.
Node.js backend architecture patterns for 2026
Node 22 shipped a stable permission model and npm has supported provenance since 2023 — yet the September 2025 Shai-Hulud worm still spread through unpinned installs.
Open-source penetration testing tools: a comparison guide
Nine open-source pentest tools, one decision problem: Nmap finds hosts, Metasploit exploits them, but neither replaces the other. Here's when to reach for each.
Symmetric vs asymmetric file encryption in Python, done correctly
AES-GCM needs a unique 96-bit nonce every single time — reuse one under the same key and GCM's authentication guarantee collapses entirely, not just confidentiality.
The complete workflow for finding and remediating hardcoded secrets in GitHub
GitGuardian found 12.8 million secrets leaked on public GitHub in 2023 alone, and over 90% were still valid five days later. Here's the fix workflow that actually closes the gap.
Secrets detection to prevent data breaches
GitGuardian found 12.8 million new secrets exposed on public GitHub in 2023, up 28% year over year — and most of them stayed live for days after leaking.
Parameterized queries across languages: the real defense against SQL injection
SQL injection (CWE-89) still ranks #3 on the OWASP Top 10, but every major language has shipped a native, built-in fix for over a decade — most breaches happen anyway.