appsec
Safeguard articles tagged "appsec" — guides, analysis, and best practices for software supply chain and application security.
339 articles
Product Security vs Application Security: What's the Difference
Application security protects the code and runtime of a single piece of software; product security is the broader discipline covering that software's entire lifecycle, including hardware, supply chain, and how customers actually use it.
Free Web Security Scanners: What to Expect From the Free Tier
What a free web security scanner will and won't catch, how the free tiers of popular tools are actually limited, and when you need to pay for real coverage.
A Threat Model Example, Walked Through Step by Step
The fastest way to understand threat modeling is to watch one built end to end — this walks through a real threat model example for a simple login and payment flow.
SQL Injection Prevention Cheat Sheet
A practitioner's SQL injection cheatsheet: parameterized queries, safe ORM use, input validation, least privilege, and the exact patterns to ban in review.
XSS Examples: Real Payloads and How They Execute
Concrete XSS examples across HTML, attribute, and JavaScript contexts, with the payloads that trigger them and why each one runs.
Static Code Analysis Tools: The Open Source Options
Static code analysis tools open source teams actually use — Semgrep, CodeQL, Bandit, ESLint security plugins — and where each one's coverage runs out.
Cloud Application Security Best Practices
Five layers cover most of the risk in cloud apps: identity, secrets, artifact scanning, pipeline gates, and runtime guardrails. Here is how to build each one without slowing delivery.
SAST vs DAST: When to Use Each (and Why Not Either/Or)
SAST and DAST test different layers of an application at different stages of the pipeline — the real question isn't which to pick, it's how to run both without duplicating effort.
LDAP Injection Attacks: How They Work and How to Prevent Them
LDAP injection lets an attacker manipulate directory-service queries by inserting special filter characters into user input, often bypassing authentication entirely — here's how the attack works and how to stop it.
Secure Code Review: A Practical Checklist
Secure code reviews catch a different category of bug than functional code review, and having a repeatable checklist keeps reviewers from relying on memory for the same handful of recurring flaws.
Preventing SQL Injection: A Defense-in-Depth Approach
Parameterized queries stop most SQL injection, but the attacks that make it to production usually slip past a single control — here's the layered defense that catches the rest.
Use-After-Free Vulnerabilities: How They're Exploited
A use-after-free exploit turns a dangling pointer into arbitrary code execution — here's how the bug class works, why it still dominates browser and kernel CVEs, and how to catch it before release.