Safeguard
Tag

application-security

Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.

613 articles

Industry Analysis

Path Traversal Prevention in Rust with fs::canonicalize

fs::canonicalize resolves `..` and symlinks into one absolute path, but it can't fix TOCTOU races, missing files, or Windows prefix quirks on its own. Here's the safe pattern.

Oct 23, 20257 min read
Industry Analysis

XXE Prevention in Python with resolve_entities=False

Why lxml's XMLParser resolves external entities by default, how resolve_entities=False actually stops XXE, and where Python teams still leave file-read and SSRF paths open.

Oct 22, 20257 min read
Industry Analysis

Insecure Deserialization Prevention in Python: yaml.safe_...

Why yaml.load() and pickle.load() became RCE vectors in Python, the CVEs behind them, and how safe_load() closes the gap — plus how Safeguard catches unsafe deserialization before it ships.

Oct 20, 20257 min read
Industry Analysis

Secure Random Number Generation in Ruby with SecureRandom

Ruby's built-in rand() uses a predictable Mersenne Twister and should never generate tokens, passwords, or session IDs. Here's how SecureRandom fixes that.

Oct 19, 20257 min read
Application Security

CVE-2021-25287: Buffer overflow in Pillow SGI decoder

A heap buffer overflow in Pillow's SGI image decoder (CVE-2021-25287) let crafted images corrupt memory. Here's the impact, fix, and remediation guidance.

Oct 5, 20258 min read
Application Security

CVE-2021-25288: Buffer overflow in Pillow FLI decoder

CVE-2021-25288 is a buffer overflow in Pillow's FLI decoder, fixed in Pillow 8.1.0. Here's what's affected, the risk profile, and how to remediate.

Oct 5, 20258 min read
AppSec

Java Code Security: A Practical Checklist

Java code security has a specific set of recurring failure modes — deserialization, XXE, dependency sprawl — this checklist covers the ones worth checking on every review.

Sep 25, 20255 min read
AppSec

API Scanner Tools: What to Look For

An API scanner tool needs to do more than replay a Postman collection against your endpoints. Here's what actually separates a useful API scanner from one that generates noise.

Sep 17, 20255 min read
Application Security

How Snyk Code's semantic analysis engine builds a code mo...

A mechanical look at how Snyk Code's semantic analysis engine parses source into a code model, tracks data flow across files, and prioritizes vulnerability findings.

Sep 14, 20257 min read
Application Security

Inside DeepCode AI: how Snyk Code's ML models are trained...

How Snyk's DeepCode AI turns millions of open-source commit fixes into the symbolic-AI and ML models powering Snyk Code's vulnerability detection and autofixes.

Sep 14, 20258 min read
Application Security

How taint analysis works in Snyk Code: tracking data from...

Snyk Code traces untrusted data from source to sink using interprocedural static analysis and ML ranking. Here's how the taint-tracking mechanics work.

Sep 14, 20258 min read
Application Security

How Snyk Code performs interprocedural data-flow analysis...

How Snyk Code tracks tainted data across function and file boundaries using call-graph summaries, taint propagation, and hybrid symbolic AI rules.

Sep 14, 20258 min read
application-security (Page 44) — Safeguard Blog