application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
XPath Injection Vulnerabilities
XPath injection lets attackers rewrite XML queries to bypass logins and steal data. Here is how it works, real incidents, and how Safeguard defends against it.
Expression Language Injection (ELI) in Java Applications
Expression language injection in Java has powered some of the decade's worst breaches, from Equifax to Confluence. Here's how OGNL and SpEL flaws actually get exploited.
DOM-Based XSS: Client-Side Sink Vulnerabilities
DOM-based XSS sink vulnerabilities let attacker data reach dangerous JavaScript sinks without touching the server, slipping past WAFs and static scanners.
Prototype Pollution in JavaScript Applications
Prototype pollution has hit lodash, jQuery, and minimist with real CVEs, from DoS to RCE. Here's how the bug works and how Safeguard catches it before it ships.
ReDoS: Regular Expression Denial of Service Attacks
ReDoS took down Cloudflare's global network for 27 minutes in 2019 and Stack Overflow in 2016. Here's how one bad regex causes an outage, and how to catch it first.
Code Injection via eval() and exec() Across Languages
eval() and exec() turn dynamic code execution into remote code execution. A cross-language look at how it happens in Python, JS, PHP, and Ruby.
Broken Object Level Authorization (BOLA/IDOR) in APIs
BOLA/IDOR has topped the OWASP API Security Top 10 since 2019. Here's how USPS, Peloton, and Parler got breached by it—and how to catch it before you do.
Best DevSecOps platforms for shift-left security
A fair, no-hype comparison of DevSecOps platforms — GitLab, GitHub, Snyk, Wiz, JFrog, and Checkmarx — plus what to evaluate for real shift-left security.
App Vulnerability Classes: A Field Guide
Not every app vulnerability behaves the same way — this field guide groups the common web vulnerabilities by root cause so triage and prevention actually map to something repeatable.
Black Box Fuzzing, Explained
Black box fuzzing throws malformed input at a running application with zero knowledge of its internals, and it still finds crashes and memory bugs white box testing misses — here's how it works and where it fits in a security program.
Best penetration testing platforms and services
A practical, no-hype comparison of penetration testing platforms and pentest-as-a-service vendors — what to evaluate, six real providers reviewed, and where supply chain risk fits in.
Dynamic Scanning, Explained for Engineers Who Aren't Security Specialists
Dynamic scanning tests a running application the way an attacker would, by sending it requests and watching what comes back. Here's what that actually involves and when it's the right tool.