application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
Out-of-Bounds Read Vulnerabilities (CWE-125) Explained
How out-of-bounds read vulnerabilities (CWE-125) leak memory instead of crashing programs, why Heartbleed and Cloudbleed happened, and how to catch them in your dependencies.
Out-of-Bounds Write Vulnerabilities (CWE-787) Explained
CWE-787 out-of-bounds write bugs let attackers corrupt memory past a buffer's limit, causing crashes or code execution. Here's how they work.
Improper Restriction of Operations Within Memory Bounds
CWE-119 has topped MITRE's vulnerability rankings for years, from Heartbleed to WannaCry to the 2023 libwebp zero-day. Here's why it persists and how to catch it early.
Integer Overflow and Wraparound Vulnerabilities
A single wrapped integer minted 184B bitcoin, grounded 787s, and erased $900M from a crypto token. Here's how overflow bugs work—and how Safeguard catches them first.
Double-Free Vulnerabilities in C and C++
Double-free bugs let attackers corrupt heap memory and hijack control flow. Here's how they happen in C/C++, real CVEs, and how to catch them early.
Memory Leak Vulnerabilities: Causes and Detection
Memory leaks aren't just a performance bug — from Heartbleed to Samba's CVE-2018-16851, they're a documented attack surface. Here's how they're caused, scored, and detected.
Null Pointer Dereference Vulnerabilities
A single unchecked pointer can crash a server. Here's what null pointer dereference vulnerabilities are, real CVEs like OpenSSL's, and how to catch them.
Uncaught Exception Security Risks
An uncaught exception isn't just a crash: it caused the Equifax breach and Log4j outages. See how exception-handling bugs become real security incidents.
Insufficient Encapsulation Vulnerabilities
An insufficient encapsulation vulnerability (CWE-485) exposes internal state to untrusted code. See how it drove real CVEs in Velocity, Lodash, and BeanUtils.
Generation of Predictable Numbers or Identifiers
From Debian's 2008 OpenSSL bug to First American's 885-million-record leak, predictable identifiers keep breaking security. Here's how the vulnerability works and how to stop it.
NoSQL Injection Attack Techniques
NoSQL injection lets attackers bypass logins and hijack MongoDB/CouchDB apps using operators like $ne and $where. Here's how it works and how to stop it.
Best fuzz testing tools for finding software vulnerabilities
A practical, no-hype comparison of AFL++, libFuzzer, OSS-Fuzz, Honggfuzz, Jazzer, and Mayhem — with real strengths, limitations, and how to choose.