application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
Java Secrets Management: Getting Credentials Out of Your Code
Hardcoded credentials are among the most common findings in Java codebases. Here's how to externalize, rotate, and protect secrets properly in 2026.
A Security Engineer Career Roadmap for 2026
From your first junior role to senior specialist, here is a realistic security engineer career roadmap—the stages, the skills at each one, the specializations to choose between, and a mostly free path to get started.
A practical guide to bug bounty hunting
HackerOne alone has paid hackers over $300M since 2012, but most new researchers earn nothing — duplicates, not skill gaps, are the top reason first reports fail.
Choosing a security tool for AI-generated code
GitHub reported in 2024 that Copilot writes up to 46% of code in enabled files — the same vulnerability classes humans write, now shipped at machine speed.
Preventing SQL injection in Node.js applications
CWE-89 is a 25-year-old bug class, but Node's template literals make it trivially easy to reintroduce in mysql2, pg, and even Sequelize's raw-query escape hatch.
Preventing SSRF in Node.js applications
A single unvalidated URL in a fetch or axios call can let an attacker reach 169.254.169.254 and steal cloud credentials — as the 2019 Capital One breach showed.
How the security industry is scaling partnerships for AI risk
No vendor covers model security, agent runtime policy, supply-chain risk, and code-level AppSec alone — partner-sourced ARR at one major vendor grew over 6x from 2023 to 2025.
What Is ASPM (Application Security Posture Management)?
Application Security Posture Management (ASPM) unifies findings from every AppSec tool into one correlated, prioritized view of your risk. Here's what ASPM is, the tool-sprawl problem it solves, and how it differs from CSPM and ASOC.
Introducing First-Party SAST and DAST: One Findings Model Across Code and Runtime
Safeguard is extending the platform with first-party static (SAST) and dynamic (DAST) application security testing — sharing one unified findings model with SCA, secrets, container, and IaC, with defensive-only DAST that only ever touches targets you've proven you own.
Essential Security Skills Every Developer Should Learn
Security is no longer a separate team's job. Here are the essential security skills every developer should build in 2026—why they matter to your career, how to learn them for free, and how to prove you have them.
Snyk vs SonarQube for SAST
Snyk Code and SonarQube both do SAST, but neither started as a supply chain security platform. Here's how their approaches differ, and where Safeguard fits.
What Is Application Security (AppSec) 101
AppSec used to mean scanning code for known bugs. Here's why that's no longer enough, what CVE-matching tools like Snyk miss, and what a real supply chain security program requires.