Safeguard
Tag

application-security

Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.

613 articles

DevSecOps

The four-phase roadmap for adopting DevSecOps

Google Cloud's 2024 DORA report found AI-tool adoption correlated with worse delivery performance for the second year running — tool sprawl without a plan makes DevSecOps worse, not better.

Jul 8, 20267 min read
Application Security

DOM clobbering: the XSS attack that never runs a script tag

DOM clobbering lets attackers hijack JavaScript logic using pure HTML — no <script> tag required — and it just bypassed DOMPurify's own sanitizer in 2026.

Jul 8, 20266 min read
Application Security

Designing Secure Fastify Plugin Boundaries

Fastify's encapsulation model isolates plugin state by default — but one `fastify-plugin` wrapper or a stray `skip-override` symbol can silently punch a hole through every boundary you had.

Jul 8, 20267 min read
Application Security

Finding and fixing IDOR vulnerabilities in Python

Broken Object Level Authorization has held the #1 spot on the OWASP API Security Top 10 since 2019 — and Django's get_object_or_404() does nothing to stop it.

Jul 8, 20266 min read
Application Security

Command injection in Go: os/exec, exec.Command, and how it still goes wrong

Go's exec.Command never invokes a shell — yet CWE-78 command injection keeps shipping in Go services. Here's exactly how, and how gosec's G204 rule catches it.

Jul 8, 20266 min read
Application Security

Designing an application security program from first principles

Two backdoors nine years apart — event-stream in 2018, XZ Utils in 2024 — show why code-only AppSec programs fail. Here's a four-layer framework built from scratch.

Jul 8, 20267 min read
Application Security

Hardening HTTP/2 against protocol-level DoS attacks

HTTP/2 Rapid Reset hit Google with 398 million requests per second in 2023 — a single protocol quirk, not a bug in any one server, drove the largest DDoS ever disclosed.

Jul 8, 20266 min read
Application Security

Identifying memory safety bugs with Valgrind

Valgrind's Memcheck catches use-after-free, leaks, and buffer overruns in unmodified C binaries — at the cost of running your program 10-50x slower.

Jul 8, 20266 min read
Best Practices

Defensive Java: coding patterns that stop NullPointerExceptions from becoming outages

NPE has been Java's most common runtime exception since JDK 1.0 in 1996 — Optional, JSpecify annotations, and static analysis can turn most of them into compile-time errors.

Jul 8, 20267 min read
Application Security

Java SecurityManager is gone: a practical migration guide

JEP 411 deprecated the Security Manager in JDK 17; JEP 486 disabled it outright in JDK 24, released March 18, 2025. Here's how to migrate before it's removed for good.

Jul 8, 20267 min read
Application Security

Secure JWT handling: algorithm confusion, expiry, and storage done right

A single unchecked `alg` header turned jsonwebtoken into a forgeable token in CVE-2015-9235 — here's how to close every hole RFC 8725 warns about.

Jul 8, 20266 min read
Application Security

LDAP injection: a technical primer and defense guide

LDAP injection is CWE-90, dates to the same root cause as SQL injection, and still shipped in production software as recently as CVE-2023-0476.

Jul 8, 20266 min read
application-security (Page 9) — Safeguard Blog