application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
OWASP ASVS 5.0 Adoption Guide
OWASP ASVS 5.0 restructured the verification levels and added new requirements for modern stacks. A practical adoption guide for teams using ASVS as their security baseline.
Buffer Overflow Exploits: A Practical Example
A buffer overflow exploit example, walked through step by step, showing exactly how writing past the end of a fixed-size buffer can turn a simple C function into arbitrary code execution.
Static Code Analysis in Cyber Security: What It Actually Does
Static code analysis in cyber security means scanning source code without running it to catch injection flaws, hardcoded secrets, and unsafe patterns before they ship — here's what it catches and what it misses.
Threat Modelling: STRIDE, PASTA, and a Process That Ships
Threat modelling fails when it becomes a 40-page document nobody reads. Here is what STRIDE and PASTA actually offer, and a lightweight process that survives contact with sprint deadlines.
The Java Security Manager Is Deprecated: What to Use Instead
JEP 411 deprecated the Java Security Manager for removal, and years of accumulated java security flaws in its trust model are why the platform is retiring it rather than fixing it further.
OWASP Training: How to Actually Run It for a Dev Team
OWASP training only sticks when it's tied to the vulnerabilities your own codebase actually has, not a generic slide deck run once a year.
What Is vm2? The Node.js Sandbox and Its Security History
vm2 was the most popular way to run untrusted JavaScript inside Node.js — until a string of sandbox-escape CVEs and its 2023 deprecation showed why sandboxing a dynamic language is so hard to get right.
Eclipse Jetty Vulnerabilities: What to Patch and When
Jetty's HTTP/2 handling and older 9.4.x branches have carried real denial-of-service and information-disclosure CVEs — here's what a jetty 9.4.41 exploit actually looks like and which versions close it.
Data Vulnerability Classes in Modern Applications
Most breaches trace back to a handful of recurring data vulnerability patterns — from unencrypted storage to broken access checks. Here's how to categorize and prioritize them.
AI Agent Tool Calling Security: Risks and Mitigations
AI agents that call tools -- APIs, databases, file systems, code interpreters -- convert non-deterministic LLM output into real-world actions. Securing this boundary is the defining challenge of agentic AI.
Unrestricted File Upload Vulnerabilities: Risks and Fixes
An unrestricted file upload vulnerability lets an attacker place a working web shell on your server through a form that was only ever supposed to accept profile pictures or PDFs.
Security Testing for LLM-Powered Applications
Applications built on large language models introduce novel attack surfaces that traditional security testing does not cover. This guide addresses the specific testing methodologies needed for LLM applications.