Safeguard
Tag

application-security

Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.

613 articles

Application Security

A framework for integrating ASPM into an existing AppSec program

Gartner defined ASPM in May 2023 as a correlation layer, not a rip-and-replace — here's how to fold it into a toolchain you already run.

Jul 8, 20266 min read
Application Security

Why asset inventory should come before AppSec tooling

Only 17% of organizations can inventory 95%+ of their assets, and 69% have been breached through one they didn't know existed — start with the map, not the scanner.

Jul 8, 20267 min read
Application Security

Beyond vulnerability management: a risk-based approach to AppSec

Fewer than 5% of published CVEs are ever exploited in the wild, yet most teams still triage by raw count — here's the exploitability-first alternative.

Jul 8, 20267 min read
Application Security

Broken access control in Express: the OWASP #1 risk, fixed with middleware

Broken access control now shows up in 100% of tested applications, per OWASP's 2025 Top 10 — up from 94% in 2021. Here's how to close it in Express.

Jul 8, 20266 min read
Application Security

Browser extensions are the softest target in your stack

A patched Grammarly bug let any website steal a user's documents; a 2025 flaw in Anthropic's Claude extension enabled silent prompt injection. Extensions keep failing the same three ways.

Jul 8, 20267 min read
Application Security

Memory-Safety Vulnerabilities in C/C++: What Static and Dynamic Analysis Actually Catch

Roughly 70% of the CVEs Microsoft and Google's Chrome team assign each year trace to memory-unsafe C/C++ code — how static analysis, sanitizers, and fuzzers each catch a different slice of it.

Jul 8, 20267 min read
Application Security

Python code injection: eval, exec, and pickle explained

eval(), exec(), and pickle.load() can each hand an attacker a Python interpreter — CVE-2020-1747 shows how one unsafe deserialization call became a real RCE.

Jul 8, 20265 min read
Application Security

Command injection in Python: subprocess, os.system, and safe-by-default patterns

os.system() and subprocess.run(shell=True) both hand a string straight to /bin/sh — one unescaped semicolon is enough to run arbitrary commands.

Jul 8, 20266 min read
Application Security

CTF writeup patterns: serialization and cryptographic puzzles, decoded

CVE-2013-0156 let attackers RCE Rails by feeding YAML into a parameter parser — the same insecure-deserialization pattern CTF players train on every weekend.

Jul 8, 20267 min read
AI Security

Why AI-generated code needs DAST, not just SAST

Copilot-generated code carried vulnerabilities in ~40% of cases in a 2021 NYU study. Static scanning alone cannot catch the runtime-only bug classes LLMs introduce.

Jul 8, 20266 min read
Best Practices

Data loss prevention for developers: stopping leaks before they hit the network

CWE-532 covers secrets logged in plaintext — the exact bug that led Twitter to reset every password on May 3, 2018. Network DLP can't catch it; your code has to.

Jul 8, 20267 min read
Application Security

Dependency injection in Python: a guide to testability and security boundaries

FastAPI shipped a built-in DI container in its very first release in December 2018 — but the same swappability that makes DI testable can quietly ship a mock into production.

Jul 8, 20267 min read
application-security (Page 8) — Safeguard Blog