application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
XXE (XML External Entity) attack
A precise breakdown of what an XXE attack is, how XML external entity injection works, a real-world exploit example, the billion laughs attack, and prevention techniques.
C# and .NET Security Explained
C# and .NET security explained: real CVEs, NuGet supply-chain attacks, BinaryFormatter risk, and the SolarWinds lesson every .NET team needs.
PHP Security Explained
PHP still runs ~74% of the web. From the 2024 PHP-CGI RCE to WordPress plugin flaws, here's what actually breaks PHP apps in production.
Static Analysis vs Dynamic Analysis
Static analysis reads code before it runs; dynamic analysis watches it execute. Here's how the two differ, catch different bugs, and work best together.
IAST vs RASP: A Decision Tree for 2026
When to deploy IAST, when to deploy RASP, and when to skip both. A pragmatic decision tree based on application architecture, threat model, and operational maturity.
How to set up SAST scanning in a GitHub Actions pipeline
A step-by-step guide to setting up SAST scanning in GitHub Actions with CodeQL and Semgrep, including config, gating, and troubleshooting tips.
Runtime Application Security Protection (RASP), Explained
Runtime application security protection instruments your app from the inside so it can block attacks in production, not just flag them in a report.
How to set up DAST scanning in a CI/CD pipeline
A practical guide to building a DAST scanning CI/CD pipeline with OWASP ZAP — setup, integration, rule tuning, and troubleshooting for real deployments.
WAF vs RASP
WAF vs RASP: how edge filtering and runtime protection differ, why Log4Shell exposed WAF blind spots, and when security teams need both layers.
Snyk's Market Trajectory Under Peter McKay
Peter McKay has led Snyk as CEO since 2020, steering it from a developer-first open-source scanning tool into a broad, AI-integrated application security platform through a string of acquisitions and a sustained enterprise push.
How to set up secrets scanning in git repositories
A step-by-step guide to secrets scanning in git repositories using gitleaks and trufflehog, covering pre-commit hooks, CI enforcement, and history audits.
How to configure OWASP ZAP for automated scanning
A step-by-step guide to configuring OWASP ZAP for automated scanning in CI/CD, from Docker setup through baseline and API scans to pipeline gating.