appsec
Safeguard articles tagged "appsec" — guides, analysis, and best practices for software supply chain and application security.
339 articles
Web Session Security: A Practical Guide
Web session security is the set of controls that keep a logged-in user's session token from being stolen, guessed, or reused by an attacker — and most of it comes down to a handful of cookie flags and lifecycle rules teams routinely skip.
Vulnerability Assessment Services: What's Actually Included
Vulnerability assessment services bundle scanning, triage, and remediation tracking — but the scope varies widely between vendors, and knowing what's actually included changes what you should pay.
Stored XSS: Why Persistent Injection Hurts Most
Stored XSS saves the attacker's script server-side and serves it to everyone. Here is why persistent injection is the most damaging XSS variant and how to stop it.
The Threat Modeling Process, Step by Step
Threat modeling answers four questions: what are we building, what can go wrong, what are we doing about it, and did we do enough? A concrete step-by-step process your team can run in an afternoon.
Open Redirect Vulnerabilities: How Attackers Abuse Them
An open redirect attack abuses a trusted domain's own redirect functionality to send victims to a malicious site — low severity on its own, but a key ingredient in phishing and OAuth token theft.
What Is Checkmarx? A Plain-English Overview
Checkmarx is one of the oldest names in static analysis, built for large enterprises with dedicated security teams. Here's what it actually does and how it stacks up.
Enterprise Rails Security Audit: 2025 Field Notes
After 14 Rails audits in the last 12 months, the same eight issues kept surfacing. Here's the 2025 field checklist for Rails 7.2 and 8.0 enterprise apps.
Open Source SAST Tools Worth Evaluating
A rundown of the open source SAST tools engineering teams actually use in production, and where each one runs out of road.
Code Injection in Python: How It Happens and How to Prevent It
Code injection python vulnerabilities almost always trace back to eval, exec, or a template engine handed untrusted input; here is how the attack works and how to close it off.
Website Vulnerability Scanners: How They Work and What They Miss
How a website vulnerability scanner crawls, fuzzes, and fingerprints your app, plus the whole classes of flaws it structurally cannot find on its own.
Web Application Penetration Testing: What to Expect
A real web application penetration test follows a scoped, multi-phase process — here's what happens before, during, and after the engagement so the report doesn't surprise you.
JavaScript Vulnerability Scanners: How They Actually Work
A javascript vulnerability scanner has to reason about a dynamically typed, dependency-heavy language — which is why the good ones combine static analysis with dependency-graph lookups rather than relying on either alone.