application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
Unsafe Consumption of APIs
OWASP's API10:2023 exposes a blind spot: teams sanitize user input but blindly trust API responses from partners, vendors, and internal services.
What is Broken Object Level Authorization (BOLA)
BOLA lets attackers swap an object ID in an API request to pull someone else's data. Here's how it works, real breaches, and how to stop it.
What is an API Gateway and Its Security Role
An API gateway centralizes auth, routing, and rate limiting for every request — get it wrong and, as T-Mobile and Optus learned, millions of records leak.
What is Rate Limiting
Rate limiting caps requests per client to stop credential stuffing and scraping. Learn how it works, the algorithms, and real breaches it prevents.
What is API Authentication
API authentication verifies who's calling your API before authorization decides what they can do — here's how it works, common methods, and where it fails.
OAuth vs API Keys
OAuth and API keys aren't interchangeable: one is a static, long-lived credential, the other a scoped, expiring token. Here's how to choose, backed by real breaches.
What is Prompt Injection
Prompt injection is OWASP's #1 LLM risk. Learn how it works, real CVEs like EchoLeak, and how to detect and defend against it.
Risks of AI-Generated Code
AI coding assistants now write nearly half of some codebases—and research shows 45% of that code ships with exploitable flaws. Here's what security teams need to know.
What is Vibe Coding (and Its Security Risks)
Vibe coding lets AI write entire apps from a prompt with little human review — here's what it is, real incidents it's caused, and how to detect the risk.
What is Insecure Output Handling in LLMs
Insecure output handling lets LLM-generated text execute code, alter queries, or render unsanitized HTML — a real, exploitable OWASP LLM05:2025 risk.
IAST vs SAST in 2026: When to Use Which
A practical guide to when IAST adds value over SAST in 2026, with the workload characteristics that justify the operational cost of runtime instrumentation.
Insecure deserialization attack
A precise breakdown of what is an insecure deserialization attack, how object injection and gadget chains work in Java and Python, and how to defend against them.