Safeguard
Topic

Security Guides

In-depth guides and analysis on security guides from the Safeguard engineering team.

124 articles

Security Guides

Python Dependency Scanning: A Practical Guide

Your code is a small fraction of what ships. This is how to inventory, scan, and continuously monitor the Python dependency tree that makes up the rest.

Jul 8, 20265 min read
Security Guides

API Authentication Best Practices (2026)

How you authenticate API clients decides how bad a leaked credential gets. Here is how to choose and harden API keys, bearer tokens, JWTs, and mTLS in 2026.

Jul 8, 20266 min read
Security Guides

Insecure Deserialization in .NET: BinaryFormatter and Beyond

Why insecure deserialization is a remote-code-execution risk in .NET, what changed with BinaryFormatter's removal in .NET 9, and the dangerous JSON.NET settings still in the wild.

Jul 8, 20265 min read
Security Guides

The Go Web Application Security Checklist: Server Hardening to Output Encoding

A field-tested checklist for Go web services — the http.Server timeouts nobody sets, html/template escaping traps, auth and session hygiene, and the headers that actually matter.

Jul 8, 20266 min read
Security Guides

Log4Shell Explained: Root Cause and Complete Remediation

Log4Shell (CVE-2021-44228) hit CVSS 10.0 and is still exploited today. Here's how the attack works, why it lingers, and how to remediate it completely.

Jul 8, 20265 min read
Security Guides

Managing Transitive Dependencies: The Vulnerabilities You Didn't Choose

Most dependency risk lives in packages you never installed directly. Here is how transitive dependencies work across ecosystems and how to audit and control them.

Jul 8, 20265 min read
Security Guides

node-fetch Security Guide (2026)

node-fetch brought the browser fetch API to Node.js and became a near-universal HTTP client — and its two real CVEs, a redirect-based header leak and a size-limit bypass, are exactly the kind of subtle bug that ships to millions of apps.

Jul 8, 20266 min read
Security Guides

OIDC vs Static Credentials in CI/CD (2026 Guide)

Static secrets in CI are the credential most likely to be stolen — as the CircleCI breach proved. OIDC federation issues short-lived, per-run credentials with nothing to leak. Here is how to make the switch.

Jul 8, 20266 min read
Security Guides

OWASP A10: Server-Side Request Forgery (SSRF) — A Deep-Dive Guide

Server-Side Request Forgery ranks #10 in the OWASP Top 10 (2021). A deep dive into cloud metadata theft, real CVEs like ProxyLogon, and how to stop SSRF in 2026.

Jul 8, 20267 min read
Security Guides

Protocol Buffers (protobuf) Security Guide (2026)

Protocol Buffers is the serialization format behind gRPC and much of modern service-to-service traffic — and because parsing untrusted binary is its whole job, its real CVEs are denial-of-service by design, with a critical prototype-pollution bug in the JavaScript runtime.

Jul 8, 20266 min read
Security Guides

Preventing SSRF in Python Applications

Server-side request forgery turns your own backend into an attacker's proxy, reaching internal services and cloud metadata endpoints you never meant to expose.

Jul 8, 20265 min read
Security Guides

PyYAML Security Guide (2026)

PyYAML is the default YAML parser for Python — and its history of arbitrary-code-execution CVEs from unsafe loading makes yaml.load() one of the most dangerous calls in the language.

Jul 8, 20265 min read
Security Guides — Supply Chain Security Blog | Safeguard