application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
A framework for integrating ASPM into an existing AppSec program
Gartner defined ASPM in May 2023 as a correlation layer, not a rip-and-replace — here's how to fold it into a toolchain you already run.
Why asset inventory should come before AppSec tooling
Only 17% of organizations can inventory 95%+ of their assets, and 69% have been breached through one they didn't know existed — start with the map, not the scanner.
Beyond vulnerability management: a risk-based approach to AppSec
Fewer than 5% of published CVEs are ever exploited in the wild, yet most teams still triage by raw count — here's the exploitability-first alternative.
Broken access control in Express: the OWASP #1 risk, fixed with middleware
Broken access control now shows up in 100% of tested applications, per OWASP's 2025 Top 10 — up from 94% in 2021. Here's how to close it in Express.
Browser extensions are the softest target in your stack
A patched Grammarly bug let any website steal a user's documents; a 2025 flaw in Anthropic's Claude extension enabled silent prompt injection. Extensions keep failing the same three ways.
Memory-Safety Vulnerabilities in C/C++: What Static and Dynamic Analysis Actually Catch
Roughly 70% of the CVEs Microsoft and Google's Chrome team assign each year trace to memory-unsafe C/C++ code — how static analysis, sanitizers, and fuzzers each catch a different slice of it.
Python code injection: eval, exec, and pickle explained
eval(), exec(), and pickle.load() can each hand an attacker a Python interpreter — CVE-2020-1747 shows how one unsafe deserialization call became a real RCE.
Command injection in Python: subprocess, os.system, and safe-by-default patterns
os.system() and subprocess.run(shell=True) both hand a string straight to /bin/sh — one unescaped semicolon is enough to run arbitrary commands.
CTF writeup patterns: serialization and cryptographic puzzles, decoded
CVE-2013-0156 let attackers RCE Rails by feeding YAML into a parameter parser — the same insecure-deserialization pattern CTF players train on every weekend.
Why AI-generated code needs DAST, not just SAST
Copilot-generated code carried vulnerabilities in ~40% of cases in a 2021 NYU study. Static scanning alone cannot catch the runtime-only bug classes LLMs introduce.
Data loss prevention for developers: stopping leaks before they hit the network
CWE-532 covers secrets logged in plaintext — the exact bug that led Twitter to reset every password on May 3, 2018. Network DLP can't catch it; your code has to.
Dependency injection in Python: a guide to testability and security boundaries
FastAPI shipped a built-in DI container in its very first release in December 2018 — but the same swappability that makes DI testable can quietly ship a mock into production.