Security Guides
In-depth guides and analysis on security guides from the Safeguard engineering team.
124 articles
Python Dependency Scanning: A Practical Guide
Your code is a small fraction of what ships. This is how to inventory, scan, and continuously monitor the Python dependency tree that makes up the rest.
API Authentication Best Practices (2026)
How you authenticate API clients decides how bad a leaked credential gets. Here is how to choose and harden API keys, bearer tokens, JWTs, and mTLS in 2026.
Insecure Deserialization in .NET: BinaryFormatter and Beyond
Why insecure deserialization is a remote-code-execution risk in .NET, what changed with BinaryFormatter's removal in .NET 9, and the dangerous JSON.NET settings still in the wild.
The Go Web Application Security Checklist: Server Hardening to Output Encoding
A field-tested checklist for Go web services — the http.Server timeouts nobody sets, html/template escaping traps, auth and session hygiene, and the headers that actually matter.
Log4Shell Explained: Root Cause and Complete Remediation
Log4Shell (CVE-2021-44228) hit CVSS 10.0 and is still exploited today. Here's how the attack works, why it lingers, and how to remediate it completely.
Managing Transitive Dependencies: The Vulnerabilities You Didn't Choose
Most dependency risk lives in packages you never installed directly. Here is how transitive dependencies work across ecosystems and how to audit and control them.
node-fetch Security Guide (2026)
node-fetch brought the browser fetch API to Node.js and became a near-universal HTTP client — and its two real CVEs, a redirect-based header leak and a size-limit bypass, are exactly the kind of subtle bug that ships to millions of apps.
OIDC vs Static Credentials in CI/CD (2026 Guide)
Static secrets in CI are the credential most likely to be stolen — as the CircleCI breach proved. OIDC federation issues short-lived, per-run credentials with nothing to leak. Here is how to make the switch.
OWASP A10: Server-Side Request Forgery (SSRF) — A Deep-Dive Guide
Server-Side Request Forgery ranks #10 in the OWASP Top 10 (2021). A deep dive into cloud metadata theft, real CVEs like ProxyLogon, and how to stop SSRF in 2026.
Protocol Buffers (protobuf) Security Guide (2026)
Protocol Buffers is the serialization format behind gRPC and much of modern service-to-service traffic — and because parsing untrusted binary is its whole job, its real CVEs are denial-of-service by design, with a critical prototype-pollution bug in the JavaScript runtime.
Preventing SSRF in Python Applications
Server-side request forgery turns your own backend into an attacker's proxy, reaching internal services and cloud metadata endpoints you never meant to expose.
PyYAML Security Guide (2026)
PyYAML is the default YAML parser for Python — and its history of arbitrary-code-execution CVEs from unsafe loading makes yaml.load() one of the most dangerous calls in the language.