appsec
Safeguard articles tagged "appsec" — guides, analysis, and best practices for software supply chain and application security.
339 articles
What is XML External Entity (XXE) Injection
XXE injection lets attackers abuse XML parsers to read files, trigger SSRF, or crash services. Here's how it works, real CVEs, and how to stop it.
Best Secrets Detection Tools: 2026 Buyer's Guide
A field comparison of the best secrets detection tools in 2026 across precision, secret variety, and CI integration for teams hardening their supply chain.
ASPM Security: Application Security Posture Management Explained
ASPM doesn't scan anything new — it aggregates and prioritizes findings your existing SAST, DAST, and SCA tools already produce, which is exactly the problem most AppSec teams actually have.
Application Security Automation: What to Automate First
Automation pays off in a strict order: dependencies, secrets, static analysis, then dynamic testing. Here is the sequence, why it works, and what should stay manual.
What Are Security Logging and Monitoring Failures
Equifax went undetected for 76 days, Marriott for four years. Here's what security logging and monitoring failures are, why they happen, and how to close the gap.
Cybersecurity Platforms: When Consolidation Wins
Consolidating point tools into a platform can cut cost and alert fatigue — or lock you into one vendor's blind spots. Here is a clear-eyed rule for when cybersecurity platforms pay off and when they do not.
What Is a Security Champion?
A security champion is a developer who advocates for security inside their team, bridging engineering and the security function. Learn the role, how programs work, and why they scale culture.
What is API Security
API security explained: what it is, why APIs are the top breach vector, the OWASP API Top 10, real breaches, and how to test and monitor endpoints.
How to Secure REST APIs
REST APIs keep failing the same way: BOLA, weak auth, shadow endpoints. Real breaches (T-Mobile, Optus, Peloton) and concrete fixes for each.
API Security Misconfiguration
API misconfigurations exposed 37M T-Mobile and 9.8M Optus accounts without a single exploit. Here's why it keeps happening and how to stop it.
What Does a Product Security Engineer Actually Do?
Product security engineer isn't just AppSec with a different title — it's the role that owns security decisions inside the product itself, not just the pipeline that ships it.
What is Code Signing
Code signing proves who published software and that it wasn't tampered with — but SolarWinds, CCleaner, and 3CX show signed doesn't mean safe.