Safeguard
Topic

Security Guides

In-depth guides and analysis on security guides from the Safeguard engineering team.

124 articles

Security Guides

Secrets Management in Node.js: From .env to Zero-Standing-Credentials

Hardcoded tokens and committed .env files are still the fastest way to lose a cloud account. Here is a maturity ladder for Node.js secrets — from native --env-file to managed vaults and short-lived OIDC credentials.

Jul 5, 20265 min read
Security Guides

OWASP A07: Identification and Authentication Failures — A Deep-Dive Guide

Identification and Authentication Failures rank #7 in the OWASP Top 10 (2021). A deep dive into credential stuffing, session handling, real CVEs, and 2026 fixes.

Jul 5, 20266 min read
Security Guides

Pickle and Deserialization Security in Python

Unpickling untrusted data is arbitrary code execution, by design. Here is why pickle is dangerous, where it hides, and what to use instead.

Jul 5, 20265 min read
Security Guides

The Risks of Secrets in Environment Variables (2026)

Environment variables feel like the safe place to put secrets — but they leak through crash dumps, child processes, CI logs, and container layers. Here is where env-var secrets escape and what to do instead.

Jul 5, 20266 min read
Security Guides

Scala Security Best Practices: JVM Supply Chain, Deserialization, and Framework CVEs

Scala's expressive type system does nothing about the JVM attack surface underneath it. Log4Shell, Jackson gadget chains, and Spark's command-injection CVE all reach Scala code directly.

Jul 5, 20266 min read
Security Guides

Subresource Integrity (SRI) Explained (2026)

Subresource Integrity pins a cryptographic hash to every script you load from a CDN, so a compromised CDN cannot silently swap in malicious code. Here is how it works and where it stops.

Jul 5, 20265 min read
Security Guides

.NET Dependency Vulnerability Scanning: A Practical Guide

How to scan .NET dependencies for known vulnerabilities using dotnet list package, NuGet audit, and reachability-aware SCA, and how to wire it into CI so nothing ships with a known critical.

Jul 4, 20265 min read
Security Guides

Securing Express Applications: A Layered Playbook

Express gives you almost no security by default. This playbook layers the middleware, headers, rate limits, session hardening, and input validation that turn a bare Express app into a defensible one — with Express 5 in mind.

Jul 4, 20265 min read
Security Guides

Content Security Policy (CSP) Explained (2026)

A Content Security Policy is your last line of defense against XSS. Here is how CSP works, why nonce-based strict policies beat allowlists, and how to deploy one without breaking your app.

Jul 4, 20266 min read
Security Guides

C++ Security Best Practices: Memory Safety, Hardening Flags, and the C/C++ Supply Chain

Microsoft attributes roughly 70% of its CVEs to memory-safety bugs, and the xz backdoor proved the C/C++ supply chain is a live target. Here is the practical hardening path for code you can't rewrite.

Jul 4, 20266 min read
Security Guides

Database Credential Security (2026 Guide)

Database credentials are the last door between an attacker and your data. This guide covers eliminating static passwords with IAM auth, scoping least privilege, rotating safely, and detecting leaked connection strings.

Jul 4, 20266 min read
Security Guides

The Go Vulnerability Scanning Guide: govulncheck, Reachability, and CI

Most scanners tell you a CVE exists somewhere in go.sum. govulncheck tells you whether your code can actually reach it. Here's how Go's reachability-based scanning works and how to run it well.

Jul 4, 20266 min read
Security Guides (Page 5) — Supply Chain Security Blog | Safeguard