application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
Path Traversal Prevention in Rust with fs::canonicalize
fs::canonicalize resolves `..` and symlinks into one absolute path, but it can't fix TOCTOU races, missing files, or Windows prefix quirks on its own. Here's the safe pattern.
XXE Prevention in Python with resolve_entities=False
Why lxml's XMLParser resolves external entities by default, how resolve_entities=False actually stops XXE, and where Python teams still leave file-read and SSRF paths open.
Insecure Deserialization Prevention in Python: yaml.safe_...
Why yaml.load() and pickle.load() became RCE vectors in Python, the CVEs behind them, and how safe_load() closes the gap — plus how Safeguard catches unsafe deserialization before it ships.
Secure Random Number Generation in Ruby with SecureRandom
Ruby's built-in rand() uses a predictable Mersenne Twister and should never generate tokens, passwords, or session IDs. Here's how SecureRandom fixes that.
CVE-2021-25287: Buffer overflow in Pillow SGI decoder
A heap buffer overflow in Pillow's SGI image decoder (CVE-2021-25287) let crafted images corrupt memory. Here's the impact, fix, and remediation guidance.
CVE-2021-25288: Buffer overflow in Pillow FLI decoder
CVE-2021-25288 is a buffer overflow in Pillow's FLI decoder, fixed in Pillow 8.1.0. Here's what's affected, the risk profile, and how to remediate.
Java Code Security: A Practical Checklist
Java code security has a specific set of recurring failure modes — deserialization, XXE, dependency sprawl — this checklist covers the ones worth checking on every review.
API Scanner Tools: What to Look For
An API scanner tool needs to do more than replay a Postman collection against your endpoints. Here's what actually separates a useful API scanner from one that generates noise.
How Snyk Code's semantic analysis engine builds a code mo...
A mechanical look at how Snyk Code's semantic analysis engine parses source into a code model, tracks data flow across files, and prioritizes vulnerability findings.
Inside DeepCode AI: how Snyk Code's ML models are trained...
How Snyk's DeepCode AI turns millions of open-source commit fixes into the symbolic-AI and ML models powering Snyk Code's vulnerability detection and autofixes.
How taint analysis works in Snyk Code: tracking data from...
Snyk Code traces untrusted data from source to sink using interprocedural static analysis and ML ranking. Here's how the taint-tracking mechanics work.
How Snyk Code performs interprocedural data-flow analysis...
How Snyk Code tracks tainted data across function and file boundaries using call-graph summaries, taint propagation, and hybrid symbolic AI rules.