appsec
Safeguard articles tagged "appsec" — guides, analysis, and best practices for software supply chain and application security.
339 articles
Secure Patterns for LLM Output Handling in 2026
LLM02 on the OWASP LLM Top 10 keeps quietly producing incidents because downstream systems trust model outputs they should not. Concrete patterns that hold up.
GitLab Ultimate Security Buyer Review 2026
GitLab bundles SAST, SCA, container scanning, and DAST into the Ultimate tier. Is the integrated story worth the premium over best-of-breed tools? An honest review.
What is the OWASP Software Assurance Maturity Model (SAMM)
A concrete breakdown of OWASP SAMM's 5 functions, 15 practices, and 30 streams, how its maturity levels work, and how it compares to BSIMM.
CVSS scoring
What is CVSS? A clear breakdown of the Common Vulnerability Scoring System, base vs temporal scores, CVSS v4 changes, and how to prioritize real risk.
CWE (Common Weakness Enumeration)
What is CWE? A plain-English guide to the Common Weakness Enumeration, how it differs from CVE, its classification hierarchy, and the Top 25 list.
Snyk vs Checkmarx Comparison
Snyk vs Checkmarx compared on SAST/SCA depth, pricing, IaC/container coverage, and their real Log4Shell response — plus where reachability analysis closes the gap.
CodeQL vs Semgrep: A 2026 Buyer Comparison
A practical head-to-head between CodeQL and Semgrep in 2026: query power, performance, rule authoring, and where each tool earns its place in a modern SAST program.
Open Source Static Code Analysis Tools
Open source static code analysis tools like Semgrep, CodeQL, and Bandit catch real bugs -- but miss supply-chain flaws like Log4Shell entirely.
IAST vs RASP: A Decision Tree for 2026
When to deploy IAST, when to deploy RASP, and when to skip both. A pragmatic decision tree based on application architecture, threat model, and operational maturity.
Application Security Consulting: What to Actually Expect
Application security consulting services range from a two-week penetration test to a multi-year embedded program, and knowing which one you're buying changes what you should expect to get out of it.
Application Security Testing Services: A Buyer's Guide
A practical framework for evaluating application security testing services in 2026, from what should be included by default to the questions that separate a real program from a checkbox audit.
Web Application Security Testing Tools in 2026
A category map of web application security testing tools in 2026, from SAST and DAST to API scanners, and how to pick a stack that matches your architecture.