application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
Secure session lifecycle management: tokens, rotation, and cookie flags
OWASP requires session IDs carry at least 64 bits of entropy, yet a 2007 Rails flaw shows one dropped attribute is enough to make fixation trivial.
Robust input validation in Spring Boot: Bean Validation and its bypasses
Bean Validation (JSR-380) looks like a solved problem in Spring Boot, but nested DTOs, list elements, and unannotated service methods routinely skip validation silently.
The most common Spring Boot security misconfigurations, and how to fix them
CVE-2026-40976 let anonymous users hit /actuator/env and /actuator/heapdump on default Spring Boot 4 filter chains, CVSS 9.1 — here's how to actually harden Spring Boot.
Unsafe Deserialization in Swift: NSCoding, Codable, and Safer Patterns
Two 2019 iOS zero-click bugs, CVE-2019-8646 and CVE-2019-8647, both traced back to NSKeyedUnarchiver — a reminder that Swift's Objective-C legacy still hides deserialization risk.
Symmetric vs Asymmetric Encryption in Python: A Practical Guide
One key or two? A working comparison of Fernet and RSA in Python's cryptography library — with the OAEP-vs-PKCS1v15 mistake that still causes padding-oracle bugs.
Thymeleaf SSTI risk patterns: how a tab character bypassed a Java template sandbox
CVE-2026-40478 shows how a single tab character bypassed Thymeleaf's expression sandbox, turning misused templates into remote code execution.
Verifying webhook signatures correctly
Stripe gives you a 5-minute replay window and GitHub a raw-body HMAC — but most outages trace back to one bug: verifying JSON after it's been re-serialized.
Building Secure VS Code Extensions: A Developer's Guide
VS Code extensions run as trusted Node.js code with full disk and network access and no permission model to fall back on. Here is how to build one that does not become the next supply chain incident.
Web cache poisoning: attack mechanics and prevention
A 2024 academic scan of the Tranco Top 1000 domains found roughly 17% vulnerable to web cache poisoning — here's how the attack works and how to stop it at the edge.
WebAssembly's security model: sandbox guarantees and the attack surface that remains
Two Critical Wasmtime sandbox-escape CVEs landed on the same day in April 2026 — proof that a wasm sandbox is only as strong as the runtime enforcing it.
XS-Leaks explained: cross-site leak techniques and the defenses that stop them
XS-Leaks bypass the Same-Origin Policy without running a single line of attacker script — they read state through timing, frame counts, and error events instead.
ISO 27001 application security: the Annex A controls that govern your code
ISO/IEC 27001:2022 added and sharpened Annex A controls for secure development and technical vulnerabilities. Here's how they apply to application and supply chain security.