application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
A hands-on stack buffer overflow in C++: root cause and mitigations
The Morris Worm hit ~6,000 machines in 1988 via one unsafe gets() call. We build and hijack a stack overflow in C++ to teach why canaries and ASLR exist.
Modern C++ security: smart pointers, bounds checking, and static analysis
Microsoft has said for years that ~70% of the CVEs it patches trace to memory-safety bugs — here's how modern C++ actually closes that gap.
A hardening checklist for modern Drupal deployments
Drupal 7's 2025 end-of-life left unsupported sites exposed; here's a concrete checklist for module vetting, access control, and patch cadence on Drupal 10/11.
Why assert is not a security control in Python
Run Python with -O and every assert statement vanishes from the bytecode — including the ones guarding auth checks and input validation.
The Python code review security checklist: eval, pickle, and shell=True
Bandit ships named checks for eval, pickle, and shell=True — B307, B301, B602 — yet these three smells still slip past manual review into production Python.
React security best practices: stopping XSS, dangerouslySetInnerHTML, and dependency risk
React auto-escapes JSX text by default, but dangerouslySetInnerHTML, href injection, and a 500-package npm worm show where that protection stops.
Robust URL Validation in Python: Stopping SSRF and Open Redirects
One misparsed IP string cost Capital One 106 million records. Here's how to validate URLs in Python without repeating that mistake.
Building an authenticated, TLS-secured WebSocket server in Python
WebSockets skip same-origin checks by default — CWE-1385 exists because of it. Here's how to build one in Python with origin checks, TLS, and rate limits.
The most common C++ vulnerability classes, and the tooling that catches them
Memory-safety bugs account for roughly 70% of high-severity CVEs in large C/C++ codebases at Microsoft and Google. Here's why, and what actually stops them.
Webhook security best practices: HMAC signing, replay protection, and IP allowlisting
Stripe gives webhook signatures a 5-minute tolerance window; GitHub signs with HMAC-SHA256. Here's how to build inbound and outbound webhooks that survive both.
How to Discover Shadow and Undocumented APIs Before Attackers Do
A single undocumented API endpoint exposed 10 million Optus records in 2022. Here's how to find shadow APIs in production and assess their real exposure.
A primer on the OWASP API Security Top 10 and how to test for it
The OWASP API Security Top 10 dropped Injection entirely in its 2023 update and added SSRF — most REST and GraphQL teams still test for the old list.