Safeguard
Tag

appsec

Safeguard articles tagged "appsec" — guides, analysis, and best practices for software supply chain and application security.

339 articles

Buyer's Guides

Best security champions program and developer training pl...

A practical buyer's guide to security champions program tools — evaluation criteria, six real vendors compared honestly, and how to measure whether training actually reduces vulnerabilities.

Nov 7, 20258 min read
Industry Analysis

Broken Function Level Authorization (BFLA) in APIs

BFLA lets a regular user call admin-only API functions. Here's how the USPS, Peloton, and Coinbase incidents happened — and how to catch it before attackers do.

Nov 7, 20257 min read
Industry Analysis

Security Misconfiguration in APIs

Optus, T-Mobile, Peloton, and USPS were all breached through misconfigured APIs, not exploits. Here's what causes it, what it costs, and how to catch it first.

Nov 6, 20257 min read
Industry Analysis

CORS Misconfiguration Vulnerabilities

CORS misconfiguration vulnerabilities let attackers steal authenticated API data with a single reflected Origin header. Here's how they happen and how to catch them before release.

Nov 4, 20256 min read
Industry Analysis

Insecure Randomness in Security-Sensitive Code

A single deleted line broke Debian's OpenSSL keys for two years. We break down real insecure randomness vulnerabilities and how Safeguard catches weak PRNGs before attackers do.

Oct 31, 20257 min read
Industry Analysis

Missing Encryption of Sensitive Data

Missing encryption of sensitive data (CWE-311) drove breaches from Equifax to CVS Health. Here's how it happens across the software supply chain and how to catch it early.

Oct 31, 20257 min read
Industry Analysis

Cleartext Sensitive Information in Cookies

Cleartext sensitive data in cookies (CWE-315) quietly enables account takeover and IDOR. Here's how it happens, why it survives review, and how Safeguard catches it.

Oct 30, 20257 min read
Industry Analysis

Unrestricted File Upload Vulnerabilities

Unrestricted file upload flaws let attackers turn a simple upload form into remote code execution. Here's how real-world CVEs happened, and how to prevent them.

Oct 30, 20257 min read
Industry Analysis

Insecure Temporary File Creation

Insecure temp file creation (CWE-377) still causes real CVEs today — from JUnit4 to npm's tmp package. Here's how the race condition works and how to stop it.

Oct 30, 20257 min read
Industry Analysis

Sensitive Information Exposure in Error Messages

Stack traces, SQL errors, and debug pages routinely leak credentials, paths, and library versions to attackers. Here's how CWE-209 exposure happens and how to close it.

Oct 29, 20257 min read
Industry Analysis

SQL Injection Prevention in Java with PreparedStatement

Java teams still ship SQL injection bugs despite PreparedStatement being free and built into the JDK since 1997. Here is how it works and where it fails.

Oct 27, 20258 min read
Industry Analysis

SQL Injection Prevention in Node.js/JavaScript

SQL injection still hits Node.js apps through raw drivers, Sequelize, Prisma, and Knex alike. Here's how it happens, what safe queries look like, and how to catch it in CI.

Oct 27, 20259 min read
appsec (Page 17) — Safeguard Blog