Safeguard
Tag

application-security

Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.

613 articles

Application Security

Preventing insecure deserialization in Node.js

A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.

Jul 13, 20265 min read
Application Security

Preventing SMTP injection vulnerabilities in email-sending code

A crafted From address turned PHPMailer into a remote code execution bug in 2016 — here's how header injection works and how to stop it.

Jul 13, 20266 min read
Application Security

Preventing XSS in Java Spring and JSP applications

OWASP folded XSS into A03:2021-Injection, present in ~3.37% of tested apps — raw JSP EL output and a missing CSP header are still the two most common causes.

Jul 13, 20266 min read
Application Security

How catastrophic regex backtracking causes ReDoS — and how to stop it

A single bad regex took Cloudflare's global network to ~100% CPU for 27 minutes in 2019. Here's the backtracking mechanics behind ReDoS and how to rewrite unsafe patterns.

Jul 13, 20266 min read
Application Security

Safely Parsing Untrusted URLs in Node.js

Node's legacy url.parse() is deprecated (DEP0169), and parser mismatches between it, the WHATWG URL API, and fetchers are a documented root cause of SSRF and open redirects.

Jul 13, 20266 min read
Application Security

XPath injection: how it happens and how to stop it in Java, .NET, and PHP

A 2024 GeoServer flaw showed unsanitized input reaching an XPath evaluator can mean remote code execution, not just data leakage. Here's how to prevent it.

Jul 13, 20266 min read
Application Security

DNS attack techniques and defenses

Cache poisoning, tunneling, and NXDOMAIN floods all abuse the same trust: DNS was built to be fast and open, not authenticated.

Jul 12, 20266 min read
Application Security

Fuzz testing for AppSec teams: AFL++, libFuzzer, and OSS-Fuzz

OSS-Fuzz has found over 13,000 vulnerabilities since 2016, yet most AppSec teams still treat fuzzing as a research curiosity rather than a pipeline stage.

Jul 12, 20267 min read
Application Security

How to actually implement TLS correctly in Python

One `verify=False` in a requests call disables both certificate and hostname checks — the same escape hatch PEP 476 tried to close in 2014.

Jul 12, 20265 min read
Application Security

Java DTOs for secure data handling

A single @RequestBody bound to a JPA entity can let attackers set fields like isAdmin — DTOs close that gap by design, not by discipline.

Jul 12, 20266 min read
Application Security

The security implications of Node.js worker_threads

Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.

Jul 12, 20266 min read
Application Security

Python linting for security hygiene: what flake8, pylint, and bandit actually catch

Bandit maps findings to CWE IDs like CWE-502 and CWE-78, but flake8 and pylint never look for a vulnerability at all — the three tools solve different problems.

Jul 12, 20266 min read
application-security (Page 4) — Safeguard Blog