Security Guides
In-depth guides and analysis on security guides from the Safeguard engineering team.
124 articles
Secrets Management in Node.js: From .env to Zero-Standing-Credentials
Hardcoded tokens and committed .env files are still the fastest way to lose a cloud account. Here is a maturity ladder for Node.js secrets — from native --env-file to managed vaults and short-lived OIDC credentials.
OWASP A07: Identification and Authentication Failures — A Deep-Dive Guide
Identification and Authentication Failures rank #7 in the OWASP Top 10 (2021). A deep dive into credential stuffing, session handling, real CVEs, and 2026 fixes.
Pickle and Deserialization Security in Python
Unpickling untrusted data is arbitrary code execution, by design. Here is why pickle is dangerous, where it hides, and what to use instead.
The Risks of Secrets in Environment Variables (2026)
Environment variables feel like the safe place to put secrets — but they leak through crash dumps, child processes, CI logs, and container layers. Here is where env-var secrets escape and what to do instead.
Scala Security Best Practices: JVM Supply Chain, Deserialization, and Framework CVEs
Scala's expressive type system does nothing about the JVM attack surface underneath it. Log4Shell, Jackson gadget chains, and Spark's command-injection CVE all reach Scala code directly.
Subresource Integrity (SRI) Explained (2026)
Subresource Integrity pins a cryptographic hash to every script you load from a CDN, so a compromised CDN cannot silently swap in malicious code. Here is how it works and where it stops.
.NET Dependency Vulnerability Scanning: A Practical Guide
How to scan .NET dependencies for known vulnerabilities using dotnet list package, NuGet audit, and reachability-aware SCA, and how to wire it into CI so nothing ships with a known critical.
Securing Express Applications: A Layered Playbook
Express gives you almost no security by default. This playbook layers the middleware, headers, rate limits, session hardening, and input validation that turn a bare Express app into a defensible one — with Express 5 in mind.
Content Security Policy (CSP) Explained (2026)
A Content Security Policy is your last line of defense against XSS. Here is how CSP works, why nonce-based strict policies beat allowlists, and how to deploy one without breaking your app.
C++ Security Best Practices: Memory Safety, Hardening Flags, and the C/C++ Supply Chain
Microsoft attributes roughly 70% of its CVEs to memory-safety bugs, and the xz backdoor proved the C/C++ supply chain is a live target. Here is the practical hardening path for code you can't rewrite.
Database Credential Security (2026 Guide)
Database credentials are the last door between an attacker and your data. This guide covers eliminating static passwords with IAM auth, scoping least privilege, rotating safely, and detecting leaked connection strings.
The Go Vulnerability Scanning Guide: govulncheck, Reachability, and CI
Most scanners tell you a CVE exists somewhere in go.sum. govulncheck tells you whether your code can actually reach it. Here's how Go's reachability-based scanning works and how to run it well.