Safeguard
Topic

Security Guides

In-depth guides and analysis on security guides from the Safeguard engineering team.

124 articles

Security Guides

Gradle Dependency Security: Locking, Verification, and Version Catalogs

Secure Gradle builds in 2026 with dependency locking, cryptographic dependency verification, version catalogs, and reachability-aware CVE scanning.

Jul 4, 20265 min read
Security Guides

Jackson-databind Security Guide (2026)

Jackson-databind is the default JSON engine for the Java ecosystem — and the source of one of the longest deserialization CVE sagas in open source. Here is how to run it safely.

Jul 4, 20266 min read
Security Guides

Laravel Security Best Practices: Mass Assignment, Blade, and Debug Mode

Laravel's defaults are solid, but $guarded misuse, {!! !!} in Blade, and APP_DEBUG=true in production have all led to real compromises. Here's the fix.

Jul 4, 20265 min read
Security Guides

Scanning NuGet Packages for Vulnerabilities in .NET

The .NET SDK ships a built-in vulnerability scanner: dotnet list package --vulnerable. Here is how to audit NuGet dependencies with it — and where to go beyond it.

Jul 4, 20265 min read
Security Guides

NuGet Supply Chain Security: Protecting Your .NET Dependencies

How NuGet supply chain attacks work, from dependency confusion to typosquatting, and the concrete controls, lock files, source mapping, and signing, that lock down your .NET build.

Jul 4, 20265 min read
Security Guides

OWASP A06: Vulnerable and Outdated Components — A Deep-Dive Guide

Vulnerable and Outdated Components rank #6 in the OWASP Top 10 (2021). A deep dive into transitive risk, real CVEs like Log4Shell, and how to fix it in 2026.

Jul 4, 20266 min read
Security Guides

Pillow (PIL) Security Guide (2026)

Pillow is the default image library for Python — and because it parses untrusted image bytes and once shipped an eval-based ImageMath, it has a long, real CVE history spanning arbitrary code execution and native buffer overflows.

Jul 4, 20266 min read
Security Guides

How to Prevent Prototype Pollution in JavaScript

Prototype pollution turns a single crafted JSON key into process-wide corruption — and it has escalated to RCE in real Node.js apps. Here is how the attack works and four layers of defense that stop it.

Jul 4, 20265 min read
Security Guides

Preventing Command Injection in Python

Every time Python code shells out with user input, an attacker gets a vote on what the shell runs. The fix is almost always to stop using the shell at all.

Jul 4, 20265 min read
Security Guides

Securing the Go Modules Supply Chain: Proxy, Checksums, and Provenance End to End

The Go module system ships with a tamper-evident checksum log and a public proxy most teams never configure deliberately. Here's how to turn those defaults into a real supply-chain control plane.

Jul 3, 20266 min read
Security Guides

Auditing Rust Dependencies with cargo-audit

cargo-audit checks your Cargo.lock against the RustSec Advisory Database, flagging vulnerable, yanked, and unmaintained crates. Here is how to use it and extend it.

Jul 3, 20265 min read
Security Guides

Preventing SQL Injection in .NET with Entity Framework Core

How SQL injection still happens in Entity Framework Core apps, which EF Core APIs are safe by default, which ones aren't, and the exact patterns that keep raw SQL parameterized.

Jul 3, 20266 min read
Security Guides (Page 6) — Supply Chain Security Blog | Safeguard