Safeguard
Tag

appsec

Safeguard articles tagged "appsec" — guides, analysis, and best practices for software supply chain and application security.

331 articles

DevSecOps

A framework for consolidating SAST, DAST, and SCA tools

Enterprises run 45 security tools on average, and 50+ tool stacks detect incidents 8% worse. Here's when AppSec consolidation actually pays off.

Jul 15, 20266 min read
Best Practices

AppSec anti-patterns to eliminate

23.8M secrets leaked on public GitHub in 2024 alone. Here are the AppSec anti-patterns behind numbers like that — and the concrete practices that replace them.

Jul 14, 20266 min read
DevSecOps

Why developers ignore security tools, and how to fix it

Verizon's 2025 DBIR found only 54% of edge-device vulnerabilities get fully remediated within a year. The gap isn't awareness — it's friction and delay.

Jul 13, 20266 min read
DevSecOps

Building security programs with limited headcount

The developer-to-security ratio is roughly 100:1. A framework for scaling AppSec impact through automation and enablement when hiring isn't the answer.

Jul 12, 20266 min read
Application Security

How to actually implement TLS correctly in Python

One `verify=False` in a requests call disables both certificate and hostname checks — the same escape hatch PEP 476 tried to close in 2014.

Jul 12, 20265 min read
Application Security

How modern SAST engines model data flow and taint tracking

Linters flag every eval() call; SAST tools flag the two an attacker can reach. Here's how taint tracking works, and what it costs in precision and compute.

Jul 11, 20266 min read
Best Practices

Building a secure coding culture: training, champions, and incentives that stick

Verizon's 2025 DBIR found the human element in ~60% of breaches. A practical playbook for training, champions programs, and incentives that actually change developer behavior.

Jul 10, 20267 min read
Best Practices

Running internal CTFs to build real security skills on engineering teams

picoCTF drew 39,000 players in 2019 across 160 countries — proof that gamified security training scales. Here's how to run the same model internally.

Jul 10, 20266 min read
Application Security

JWT security vulnerabilities and best practices

The jsonwebtoken library shipped three separate signature-bypass CVEs between 2015 and 2022 — algorithm confusion is still the most common way JWTs fail.

Jul 10, 20266 min read
Vulnerability Management

Reachability analysis for vulnerability triage

Only 10-30% of SCA findings are ever actually invoked by your code. Reachability analysis finds which ones, cutting patch backlogs without hiding real risk.

Jul 10, 20265 min read
AI Security

AI agents in AppSec pipelines: triage, remediation, and guardrails

GitHub's Copilot Autofix cuts median fix time from 1.5 hours to 28 minutes — but a 2025 Replit agent incident shows why autonomy needs hard limits.

Jul 9, 20266 min read
Industry Analysis

The emerging role of the AI security engineer

OWASP's 2025 LLM Top 10 ranks prompt injection #1 and calls it structurally unfixable by parameterization — a signal that AppSec skills alone no longer cover the job.

Jul 9, 20267 min read
appsec — Safeguard Blog