Security Guides
In-depth guides and analysis on security guides from the Safeguard engineering team.
124 articles
OWASP A08: Software and Data Integrity Failures — A Deep-Dive Guide
Software and Data Integrity Failures rank #8 in the OWASP Top 10 (2021). A deep dive into insecure deserialization, unsigned updates, SolarWinds, and real CVEs.
REST API Security Best Practices: The OWASP API Top 10 in Practice
Most API breaches aren't exotic — they're broken object-level authorization and missing rate limits. A practical walk through the OWASP API Security Top 10.
Securing Your Python Supply Chain on PyPI
Typosquats, dependency confusion, and account takeovers all target the same moment: pip install. Here is how to make that moment trustworthy.
semver (npm) Security Guide (2026)
semver is the version-parsing library at the heart of npm itself — and a single ReDoS CVE in its range parser turned this universal dependency into one of the most widely flagged advisories in the JavaScript ecosystem.
Spring Framework Security Guide (2026)
Spring Framework is the backbone of enterprise Java — and the source of Spring4Shell plus a steady stream of path-traversal and SSRF CVEs. Here is how to run it safely in 2026.
Auditing PHP Dependencies with composer audit
Composer ships a native security auditor. Learn to run composer audit against your composer.lock, catch abandoned packages, and extend it with continuous SCA.
C# Cryptography Best Practices in .NET
The right way to do cryptography in C#: authenticated encryption with AesGcm, secure randomness, PBKDF2 password hashing, constant-time comparison, and the legacy APIs to stop using.
Go Concurrency Security Pitfalls: When Data Races Become Vulnerabilities
A data race isn't just a flaky test — in the wrong place it's an auth bypass, a cross-request leak, or a denial of service. Here are the Go concurrency bugs that turn into security incidents.
GraphQL API Security: Introspection, Depth Limits, and Authorization
GraphQL's flexibility is its attack surface. Nested queries, introspection, and per-field authorization all fail differently than REST. Here's how to secure them.
Java SQL Injection Prevention: Parameterized Queries and Beyond
SQL injection is decades old and still breaching Java apps. Here's how to prevent it with prepared statements, JPA binding, and safe dynamic queries.
Log4j Security Guide (2026)
Log4j is the most widely deployed Java logging library — and the source of Log4Shell, the defining supply-chain vulnerability of the decade. Here is how to run it safely in 2026.
minimist Security Guide (2026)
minimist is the tiny argument parser buried under a huge slice of the npm ecosystem — and two prototype-pollution CVEs made this 'harmless' 100-line library one of the most widely flagged transitive dependencies in JavaScript.