Safeguard
Tag

application-security

Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.

608 articles

Application Security

Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization

One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.

Jul 16, 20265 min read
Application Security

NoSQL injection prevention in MongoDB and Mongoose

A single unsanitized query key like $ne can bypass authentication in MongoDB apps — two 2024-2025 Mongoose CVEs show the fix is harder than one middleware package.

Jul 16, 20267 min read
Best Practices

Secure code review: the checklist reviewers actually need

Broken access control affects nearly every tested app and XSS remains the #1 CWE overall — both catchable in review. Here is a language-agnostic PR checklist.

Jul 16, 20267 min read
Application Security

Trojan Source: how Unicode bidi control characters hide malicious code in plain sight

CVE-2021-42574 scored 8.3 CVSS for a bug that isn't a parser flaw at all — it's Unicode's bidirectional text algorithm, weaponized against code review.

Jul 16, 20266 min read
Application Security

URL parser confusion: how inconsistent parsing enables SSRF and auth bypass

Sixteen URL-parsing libraries tested, five inconsistency classes found, eight CVEs assigned — one wrong backslash can turn a validated URL into an SSRF.

Jul 16, 20266 min read
Application Security

Code injection risks in CLI tools and IDE plugins

A malicious npm dependency hid in event-stream for 8M downloads before detection. Developer tooling is a code-injection blast radius most teams never audit.

Jul 15, 20266 min read
Application Security

Exposed .git Directories and the Git Internals That Leak Your Source

Roughly 4.96 million IPs expose .git metadata today, and over 252,000 leak live credentials in .git/config — a 2018-era bug that never went away.

Jul 15, 20266 min read
Application Security

Implementing HSTS correctly in Node.js and Express

HSTS has one header and three flags, yet a misconfigured includeSubDomains or a premature preload submission can take a domain offline for months.

Jul 15, 20266 min read
Application Security

Implementing TLS in Java applications: keystores, trust managers, and protocol pinning done right

One overridden checkServerTrusted() method disables certificate validation for an entire Java app — and it still ships to production more often than most teams admit.

Jul 15, 20267 min read
Application Security

Log injection attacks and how to stop forging your own audit trail

One unsanitized turns a log line into two, and a critical Log4j flaw with a CVSS score of 10.0 turned a log message into remote code execution.

Jul 15, 20265 min read
Application Security

RBAC vs. ABAC vs. ReBAC: choosing an access-control model for multi-tenant cloud apps

Google's Zanzibar paper (USENIX ATC 2019) showed relationship graphs authorizing access with sub-10ms latency at massive scale — here's when RBAC or ABAC beats it instead.

Jul 15, 20266 min read
Application Security

Nuxt 3 Security Hardening: CSP, SSR Leakage, and Safe Server Routes

Nuxt 3's server runs as one long-lived Node process — a single misplaced ref() can leak one user's data into another user's response.

Jul 15, 20266 min read
application-security — Safeguard Blog