Safeguard
Tag

application-security

Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.

613 articles

Application Security

The OWASP Top 10:2025, explained with minimal fix-it code

OWASP reordered its Top 10 for 2025 — Broken Access Control is back at #1 and a new Mishandling of Exceptional Conditions category debuts at #10.

Jul 15, 20269 min read
Application Security

Path traversal, decoded: canonicalization patterns across languages

CVE-2021-41773 turned a broken path-normalization routine in Apache 2.4.49 into remote code execution. Here's how canonicalization stops the whole bug class.

Jul 15, 20266 min read
Application Security

React and TypeScript security best practices for 2026

A 2025 npm phishing attack hit packages with 2.6 billion weekly downloads. Here's how React and TypeScript teams reduce XSS, API, and dependency risk.

Jul 15, 20266 min read
Application Security

Designing a secure Node.js API gateway: auth, rate limits, validation, and signing

CVE-2020-15084 let attackers forge JWTs against express-jwt because one algorithm check was missing — a case study in why gateways need four defense layers, not one.

Jul 15, 20266 min read
Best Practices

Secure Coding Fundamentals: A No-Jargon Checklist for New Developers

Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.

Jul 15, 20267 min read
Application Security

Secure file uploads in Node.js and Fastify

CWE-22 path traversal climbed three spots to #5 on the 2024 CWE Top 25. Here's how to validate, store, and scan Fastify uploads without trusting the client.

Jul 15, 20266 min read
Application Security

Memory safety in C/C++: the vulnerability classes that won't go away

Microsoft found ~70% of its patched CVEs trace to memory-safety bugs. Here's how buffer overflows, use-after-free, and double-free still happen — and what actually catches them.

Jul 14, 20267 min read
Application Security

Choosing a secure Node.js web framework: Express, Fastify, Koa, and NestJS compared

None of Express, Fastify, Koa, or NestJS enable security headers, CSRF protection, or input validation by default — the defaults you inherit differ more than you'd think.

Jul 14, 20266 min read
Application Security

Why Math.random() is a security bug waiting to happen

A 2008 Debian OpenSSL patch cut key entropy to ~32,768 values; a 2012 scan found 0.75% of TLS certs shared keys. Weak PRNGs still cause real breaches.

Jul 14, 20266 min read
Application Security

Preventing mass assignment in Spring MVC and Spring Boot

CWE-915 mass assignment lets one extra JSON field turn a profile update into a privilege escalation — here's how DTOs beat @JsonIgnore in Spring.

Jul 14, 20266 min read
Application Security

Mass assignment in Node, Express, and Mongoose apps

One unfiltered req.body.role field can turn a signup form into an admin-creation endpoint — here's how mass assignment happens in Node and how to stop it.

Jul 14, 20266 min read
Application Security

Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation

One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.

Jul 14, 20266 min read
application-security (Page 2) — Safeguard Blog