appsec
Safeguard articles tagged "appsec" — guides, analysis, and best practices for software supply chain and application security.
339 articles
XXE Prevention in JavaScript: Disabling libxmljs noent
How the libxmljs noent option silently reopens XML External Entity (XXE) attacks in Node.js apps, and the exact parser settings that shut it down for good.
XXE Prevention in C++: Removing libxml2 XML_PARSE_NOENT
How the libxml2 XML_PARSE_NOENT flag enables XXE in C++ codebases, the real CVEs behind it, and the exact code changes needed to remove it safely.
XXE Prevention in Java: Hardening DocumentBuilderFactory
Java's DocumentBuilderFactory parses XML with external entities on by default, turning XML uploads into file-read and SSRF vectors. Here is how to lock it down.
XXE Prevention in C# by Disabling XmlResolver/DTD Processing
XXE in C# lives at the XmlResolver and DtdProcessing settings. Here's how .NET's defaults evolved since 2014 and exactly how to lock down XmlDocument, XmlTextReader, and XmlReaderSettings.
XXE Prevention in Go with decoder.DisallowDTD
Go's standard XML parser resists classic XXE by design, but cgo bindings and SAML libraries can reopen it. Here's how the DisallowDTD pattern closes the gap.
XXE Prevention in PHP with libxml_disable_entity_loader
libxml_disable_entity_loader() looked like the fix for XXE in PHP, but PHP 8.0 deprecated it. Here's what it did, why it broke, and what to use now.
Insecure Deserialization Prevention in Java with Deserial...
Java deserialization RCEs still hit production years after JEP 290 shipped filters. Here's how JEP 290/415 filters work, common rollout mistakes, and how Safeguard closes the gaps.
Secure Random Number Generation in JavaScript with crypto...
Math.random() is predictable and unsafe for security tokens. Here's why Node's crypto.randomBytes() is the standard for secure JavaScript randomness.
Secure Random Number Generation in Python with the secret...
Python's random module is predictable, not secure. Here's why CWE-338 matters, when the secrets module (PEP 506, Python 3.6) fixed it, and how to generate tokens safely.
Secure Random Number Generation in Go with crypto/rand
Go's math/rand is fast but predictable. Here's why crypto/rand is the only safe choice for tokens, keys, and nonces -- and what changed in Go 1.20-1.24.
Secure Random Number Generation in C# with RandomNumberGe...
Why System.Random is a security liability in C# and how RandomNumberGenerator prevents predictable tokens, nonces, and keys in .NET applications.
SAST, DAST, and SCA: The Three Scanner Types You Actually Need
Each scanner type answers a different question about your application. Here's what SAST, DAST, and SCA each catch, and why running just one leaves gaps.