Security Guides
In-depth guides and analysis on security guides from the Safeguard engineering team.
124 articles
Gradle Dependency Security: Locking, Verification, and Version Catalogs
Secure Gradle builds in 2026 with dependency locking, cryptographic dependency verification, version catalogs, and reachability-aware CVE scanning.
Jackson-databind Security Guide (2026)
Jackson-databind is the default JSON engine for the Java ecosystem — and the source of one of the longest deserialization CVE sagas in open source. Here is how to run it safely.
Laravel Security Best Practices: Mass Assignment, Blade, and Debug Mode
Laravel's defaults are solid, but $guarded misuse, {!! !!} in Blade, and APP_DEBUG=true in production have all led to real compromises. Here's the fix.
Scanning NuGet Packages for Vulnerabilities in .NET
The .NET SDK ships a built-in vulnerability scanner: dotnet list package --vulnerable. Here is how to audit NuGet dependencies with it — and where to go beyond it.
NuGet Supply Chain Security: Protecting Your .NET Dependencies
How NuGet supply chain attacks work, from dependency confusion to typosquatting, and the concrete controls, lock files, source mapping, and signing, that lock down your .NET build.
OWASP A06: Vulnerable and Outdated Components — A Deep-Dive Guide
Vulnerable and Outdated Components rank #6 in the OWASP Top 10 (2021). A deep dive into transitive risk, real CVEs like Log4Shell, and how to fix it in 2026.
Pillow (PIL) Security Guide (2026)
Pillow is the default image library for Python — and because it parses untrusted image bytes and once shipped an eval-based ImageMath, it has a long, real CVE history spanning arbitrary code execution and native buffer overflows.
How to Prevent Prototype Pollution in JavaScript
Prototype pollution turns a single crafted JSON key into process-wide corruption — and it has escalated to RCE in real Node.js apps. Here is how the attack works and four layers of defense that stop it.
Preventing Command Injection in Python
Every time Python code shells out with user input, an attacker gets a vote on what the shell runs. The fix is almost always to stop using the shell at all.
Securing the Go Modules Supply Chain: Proxy, Checksums, and Provenance End to End
The Go module system ships with a tamper-evident checksum log and a public proxy most teams never configure deliberately. Here's how to turn those defaults into a real supply-chain control plane.
Auditing Rust Dependencies with cargo-audit
cargo-audit checks your Cargo.lock against the RustSec Advisory Database, flagging vulnerable, yanked, and unmaintained crates. Here is how to use it and extend it.
Preventing SQL Injection in .NET with Entity Framework Core
How SQL injection still happens in Entity Framework Core apps, which EF Core APIs are safe by default, which ones aren't, and the exact patterns that keep raw SQL parameterized.