application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
The OWASP Top 10:2025, explained with minimal fix-it code
OWASP reordered its Top 10 for 2025 — Broken Access Control is back at #1 and a new Mishandling of Exceptional Conditions category debuts at #10.
Path traversal, decoded: canonicalization patterns across languages
CVE-2021-41773 turned a broken path-normalization routine in Apache 2.4.49 into remote code execution. Here's how canonicalization stops the whole bug class.
React and TypeScript security best practices for 2026
A 2025 npm phishing attack hit packages with 2.6 billion weekly downloads. Here's how React and TypeScript teams reduce XSS, API, and dependency risk.
Designing a secure Node.js API gateway: auth, rate limits, validation, and signing
CVE-2020-15084 let attackers forge JWTs against express-jwt because one algorithm check was missing — a case study in why gateways need four defense layers, not one.
Secure Coding Fundamentals: A No-Jargon Checklist for New Developers
Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.
Secure file uploads in Node.js and Fastify
CWE-22 path traversal climbed three spots to #5 on the 2024 CWE Top 25. Here's how to validate, store, and scan Fastify uploads without trusting the client.
Memory safety in C/C++: the vulnerability classes that won't go away
Microsoft found ~70% of its patched CVEs trace to memory-safety bugs. Here's how buffer overflows, use-after-free, and double-free still happen — and what actually catches them.
Choosing a secure Node.js web framework: Express, Fastify, Koa, and NestJS compared
None of Express, Fastify, Koa, or NestJS enable security headers, CSRF protection, or input validation by default — the defaults you inherit differ more than you'd think.
Why Math.random() is a security bug waiting to happen
A 2008 Debian OpenSSL patch cut key entropy to ~32,768 values; a 2012 scan found 0.75% of TLS certs shared keys. Weak PRNGs still cause real breaches.
Preventing mass assignment in Spring MVC and Spring Boot
CWE-915 mass assignment lets one extra JSON field turn a profile update into a privilege escalation — here's how DTOs beat @JsonIgnore in Spring.
Mass assignment in Node, Express, and Mongoose apps
One unfiltered req.body.role field can turn a signup form into an admin-creation endpoint — here's how mass assignment happens in Node and how to stop it.
Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation
One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.