appsec
Safeguard articles tagged "appsec" — guides, analysis, and best practices for software supply chain and application security.
331 articles
A framework for consolidating SAST, DAST, and SCA tools
Enterprises run 45 security tools on average, and 50+ tool stacks detect incidents 8% worse. Here's when AppSec consolidation actually pays off.
AppSec anti-patterns to eliminate
23.8M secrets leaked on public GitHub in 2024 alone. Here are the AppSec anti-patterns behind numbers like that — and the concrete practices that replace them.
Why developers ignore security tools, and how to fix it
Verizon's 2025 DBIR found only 54% of edge-device vulnerabilities get fully remediated within a year. The gap isn't awareness — it's friction and delay.
Building security programs with limited headcount
The developer-to-security ratio is roughly 100:1. A framework for scaling AppSec impact through automation and enablement when hiring isn't the answer.
How to actually implement TLS correctly in Python
One `verify=False` in a requests call disables both certificate and hostname checks — the same escape hatch PEP 476 tried to close in 2014.
How modern SAST engines model data flow and taint tracking
Linters flag every eval() call; SAST tools flag the two an attacker can reach. Here's how taint tracking works, and what it costs in precision and compute.
Building a secure coding culture: training, champions, and incentives that stick
Verizon's 2025 DBIR found the human element in ~60% of breaches. A practical playbook for training, champions programs, and incentives that actually change developer behavior.
Running internal CTFs to build real security skills on engineering teams
picoCTF drew 39,000 players in 2019 across 160 countries — proof that gamified security training scales. Here's how to run the same model internally.
JWT security vulnerabilities and best practices
The jsonwebtoken library shipped three separate signature-bypass CVEs between 2015 and 2022 — algorithm confusion is still the most common way JWTs fail.
Reachability analysis for vulnerability triage
Only 10-30% of SCA findings are ever actually invoked by your code. Reachability analysis finds which ones, cutting patch backlogs without hiding real risk.
AI agents in AppSec pipelines: triage, remediation, and guardrails
GitHub's Copilot Autofix cuts median fix time from 1.5 hours to 28 minutes — but a 2025 Replit agent incident shows why autonomy needs hard limits.
The emerging role of the AI security engineer
OWASP's 2025 LLM Top 10 ranks prompt injection #1 and calls it structurally unfixable by parameterization — a signal that AppSec skills alone no longer cover the job.