Safeguard
Tag

application-security

Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.

613 articles

Application Security

Secure session lifecycle management: tokens, rotation, and cookie flags

OWASP requires session IDs carry at least 64 bits of entropy, yet a 2007 Rails flaw shows one dropped attribute is enough to make fixation trivial.

Jul 8, 20266 min read
Application Security

Robust input validation in Spring Boot: Bean Validation and its bypasses

Bean Validation (JSR-380) looks like a solved problem in Spring Boot, but nested DTOs, list elements, and unannotated service methods routinely skip validation silently.

Jul 8, 20266 min read
Application Security

The most common Spring Boot security misconfigurations, and how to fix them

CVE-2026-40976 let anonymous users hit /actuator/env and /actuator/heapdump on default Spring Boot 4 filter chains, CVSS 9.1 — here's how to actually harden Spring Boot.

Jul 8, 20266 min read
Application Security

Unsafe Deserialization in Swift: NSCoding, Codable, and Safer Patterns

Two 2019 iOS zero-click bugs, CVE-2019-8646 and CVE-2019-8647, both traced back to NSKeyedUnarchiver — a reminder that Swift's Objective-C legacy still hides deserialization risk.

Jul 8, 20265 min read
Best Practices

Symmetric vs Asymmetric Encryption in Python: A Practical Guide

One key or two? A working comparison of Fernet and RSA in Python's cryptography library — with the OAEP-vs-PKCS1v15 mistake that still causes padding-oracle bugs.

Jul 8, 20267 min read
Application Security

Thymeleaf SSTI risk patterns: how a tab character bypassed a Java template sandbox

CVE-2026-40478 shows how a single tab character bypassed Thymeleaf's expression sandbox, turning misused templates into remote code execution.

Jul 8, 20266 min read
Application Security

Verifying webhook signatures correctly

Stripe gives you a 5-minute replay window and GitHub a raw-body HMAC — but most outages trace back to one bug: verifying JSON after it's been re-serialized.

Jul 8, 20267 min read
Application Security

Building Secure VS Code Extensions: A Developer's Guide

VS Code extensions run as trusted Node.js code with full disk and network access and no permission model to fall back on. Here is how to build one that does not become the next supply chain incident.

Jul 8, 20266 min read
Application Security

Web cache poisoning: attack mechanics and prevention

A 2024 academic scan of the Tranco Top 1000 domains found roughly 17% vulnerable to web cache poisoning — here's how the attack works and how to stop it at the edge.

Jul 8, 20266 min read
Application Security

WebAssembly's security model: sandbox guarantees and the attack surface that remains

Two Critical Wasmtime sandbox-escape CVEs landed on the same day in April 2026 — proof that a wasm sandbox is only as strong as the runtime enforcing it.

Jul 8, 20267 min read
Application Security

XS-Leaks explained: cross-site leak techniques and the defenses that stop them

XS-Leaks bypass the Same-Origin Policy without running a single line of attacker script — they read state through timing, frame counts, and error events instead.

Jul 8, 20266 min read
Compliance

ISO 27001 application security: the Annex A controls that govern your code

ISO/IEC 27001:2022 added and sharpened Annex A controls for secure development and technical vulnerabilities. Here's how they apply to application and supply chain security.

Jul 7, 20265 min read
application-security (Page 12) — Safeguard Blog