Safeguard
Tag

application-security

Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.

613 articles

Industry Analysis

XPath Injection Vulnerabilities

XPath injection lets attackers rewrite XML queries to bypass logins and steal data. Here is how it works, real incidents, and how Safeguard defends against it.

Nov 9, 20258 min read
Industry Analysis

Expression Language Injection (ELI) in Java Applications

Expression language injection in Java has powered some of the decade's worst breaches, from Equifax to Confluence. Here's how OGNL and SpEL flaws actually get exploited.

Nov 8, 20257 min read
Industry Analysis

DOM-Based XSS: Client-Side Sink Vulnerabilities

DOM-based XSS sink vulnerabilities let attacker data reach dangerous JavaScript sinks without touching the server, slipping past WAFs and static scanners.

Nov 8, 20258 min read
Industry Analysis

Prototype Pollution in JavaScript Applications

Prototype pollution has hit lodash, jQuery, and minimist with real CVEs, from DoS to RCE. Here's how the bug works and how Safeguard catches it before it ships.

Nov 8, 20257 min read
Industry Analysis

ReDoS: Regular Expression Denial of Service Attacks

ReDoS took down Cloudflare's global network for 27 minutes in 2019 and Stack Overflow in 2016. Here's how one bad regex causes an outage, and how to catch it first.

Nov 8, 20258 min read
Industry Analysis

Code Injection via eval() and exec() Across Languages

eval() and exec() turn dynamic code execution into remote code execution. A cross-language look at how it happens in Python, JS, PHP, and Ruby.

Nov 7, 20257 min read
Industry Analysis

Broken Object Level Authorization (BOLA/IDOR) in APIs

BOLA/IDOR has topped the OWASP API Security Top 10 since 2019. Here's how USPS, Peloton, and Parler got breached by it—and how to catch it before you do.

Nov 7, 20258 min read
DevSecOps

Best DevSecOps platforms for shift-left security

A fair, no-hype comparison of DevSecOps platforms — GitLab, GitHub, Snyk, Wiz, JFrog, and Checkmarx — plus what to evaluate for real shift-left security.

Nov 7, 20258 min read
Vulnerabilities

App Vulnerability Classes: A Field Guide

Not every app vulnerability behaves the same way — this field guide groups the common web vulnerabilities by root cause so triage and prevention actually map to something repeatable.

Nov 6, 20255 min read
AppSec

Black Box Fuzzing, Explained

Black box fuzzing throws malformed input at a running application with zero knowledge of its internals, and it still finds crashes and memory bugs white box testing misses — here's how it works and where it fits in a security program.

Nov 6, 20256 min read
Application Security

Best penetration testing platforms and services

A practical, no-hype comparison of penetration testing platforms and pentest-as-a-service vendors — what to evaluate, six real providers reviewed, and where supply chain risk fits in.

Nov 6, 20257 min read
AppSec

Dynamic Scanning, Explained for Engineers Who Aren't Security Specialists

Dynamic scanning tests a running application the way an attacker would, by sending it requests and watching what comes back. Here's what that actually involves and when it's the right tool.

Nov 4, 20256 min read
application-security (Page 42) — Safeguard Blog