Safeguard
Tag

application-security

Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.

613 articles

Application Security

Argument injection in Git and Mercurial CLI wrappers

A branch name like --upload-pack=/bin/sh isn't a string to Git — it's a flag. CVE-2017-1000117 and CVE-2017-1000116 show why that distinction matters.

Jul 10, 20266 min read
Application Security

Detecting weak cryptographic algorithms in code

SHAttered proved a SHA-1 collision for ~$110,000 in 2017. NIST retires SHA-1 entirely by Dec 31, 2030 — here's how to find and fix MD5/SHA-1 in your code now.

Jul 10, 20267 min read
Compliance & Frameworks

What healthtech AppSec needs beyond generic security practices

242.9 million records were exposed in 2024 HIPAA breaches. Generic AppSec checklists don't satisfy FDA premarket SBOM rules or a pending HIPAA rewrite.

Jul 10, 20266 min read
Application Security

JWT security vulnerabilities and best practices

The jsonwebtoken library shipped three separate signature-bypass CVEs between 2015 and 2022 — algorithm confusion is still the most common way JWTs fail.

Jul 10, 20266 min read
Application Security

Securing gRPC APIs: mTLS, Interceptors, and Input Validation

CVE-2023-44487 knocked grpc-go services offline with a Rapid Reset flood — a reminder that gRPC ships fast, insecure by default, and needs hardening at every layer.

Jul 10, 20266 min read
Application Security

Where should your SPA store auth tokens?

OWASP has warned against localStorage tokens for years, yet it remains the default in countless SPA tutorials — one XSS bug is all it takes to exfiltrate every session.

Jul 10, 20266 min read
Application Security

Symbolic Reasoning vs. LLMs: Which Static Analysis Actually Finds Bugs?

The CASTLE benchmark tested 13 static analyzers and 10 LLMs on 250 programs — neither approach won outright, and the reasons why matter for your AppSec stack.

Jul 10, 20266 min read
Application Security

AI-driven DAST for modern applications

73% of open-source developers now use AI coding tools. Dynamic testing built for nightly crawls can't keep pace with apps that reshape their attack surface daily.

Jul 9, 20267 min read
Vulnerability Management

CVE-2025-29927: inside the Next.js middleware auth bypass

A single spoofed header let attackers skip Next.js middleware entirely — CVSS 9.1, four major versions affected, exploited in the wild within days.

Jul 9, 20266 min read
Compliance & Frameworks

A HIPAA technical safeguards checklist for application security teams

HHS reported 663 large healthcare breaches in 2024 exposing 242.9M records. Here's how §164.312's technical safeguards map to concrete app-sec controls.

Jul 9, 20267 min read
Application Security

Inside CVE-2025-55182: the React Server Components RCE and how to defend against it

A CVSS 10.0 pre-auth RCE in React Server Components, exploited within 48 hours of disclosure — how the deserialization flaw works and how to mitigate it.

Jul 9, 20266 min read
Application Security

Reducing false positives in SAST and SCA tools

NIST benchmark data puts some SAST false-positive rates near 78%. Reachability analysis and contextual triage are how teams cut that noise without missing real risk.

Jul 9, 20266 min read
application-security (Page 6) — Safeguard Blog