application-security
Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.
613 articles
The four-phase roadmap for adopting DevSecOps
Google Cloud's 2024 DORA report found AI-tool adoption correlated with worse delivery performance for the second year running — tool sprawl without a plan makes DevSecOps worse, not better.
DOM clobbering: the XSS attack that never runs a script tag
DOM clobbering lets attackers hijack JavaScript logic using pure HTML — no <script> tag required — and it just bypassed DOMPurify's own sanitizer in 2026.
Designing Secure Fastify Plugin Boundaries
Fastify's encapsulation model isolates plugin state by default — but one `fastify-plugin` wrapper or a stray `skip-override` symbol can silently punch a hole through every boundary you had.
Finding and fixing IDOR vulnerabilities in Python
Broken Object Level Authorization has held the #1 spot on the OWASP API Security Top 10 since 2019 — and Django's get_object_or_404() does nothing to stop it.
Command injection in Go: os/exec, exec.Command, and how it still goes wrong
Go's exec.Command never invokes a shell — yet CWE-78 command injection keeps shipping in Go services. Here's exactly how, and how gosec's G204 rule catches it.
Designing an application security program from first principles
Two backdoors nine years apart — event-stream in 2018, XZ Utils in 2024 — show why code-only AppSec programs fail. Here's a four-layer framework built from scratch.
Hardening HTTP/2 against protocol-level DoS attacks
HTTP/2 Rapid Reset hit Google with 398 million requests per second in 2023 — a single protocol quirk, not a bug in any one server, drove the largest DDoS ever disclosed.
Identifying memory safety bugs with Valgrind
Valgrind's Memcheck catches use-after-free, leaks, and buffer overruns in unmodified C binaries — at the cost of running your program 10-50x slower.
Defensive Java: coding patterns that stop NullPointerExceptions from becoming outages
NPE has been Java's most common runtime exception since JDK 1.0 in 1996 — Optional, JSpecify annotations, and static analysis can turn most of them into compile-time errors.
Java SecurityManager is gone: a practical migration guide
JEP 411 deprecated the Security Manager in JDK 17; JEP 486 disabled it outright in JDK 24, released March 18, 2025. Here's how to migrate before it's removed for good.
Secure JWT handling: algorithm confusion, expiry, and storage done right
A single unchecked `alg` header turned jsonwebtoken into a forgeable token in CVE-2015-9235 — here's how to close every hole RFC 8725 warns about.
LDAP injection: a technical primer and defense guide
LDAP injection is CWE-90, dates to the same root cause as SQL injection, and still shipped in production software as recently as CVE-2023-0476.