appsec
Safeguard articles tagged "appsec" — guides, analysis, and best practices for software supply chain and application security.
339 articles
XXE Attack Walkthroughs: What a Good Demo Actually Shows
Most XXE video walkthroughs stop at proof-of-concept file reads — here's what a genuinely useful one covers, plus the Java fix that actually closes the hole.
Reading a Scan Report: What Actually Matters
Most scan reports bury the three fields that decide whether a finding needs action today — this is how to read one without drowning in noise.
Finding Vulnerabilities in Source Code: A Practical Method
A concrete, repeatable method for finding vulnerabilities in source code — combining static analysis, dependency scanning, and manual review without drowning your team in false positives.
Free Website Vulnerability Scanners: What You Actually Get
Free scanners catch the obvious stuff — missing headers, expired TLS, a handful of known CVEs — but they stop well short of what a real security program needs.
Application Vulnerability Management: Program Basics
A working definition of application vulnerability management and the five program elements that separate a real practice from a pile of scanner tickets.
What Is the NVD (National Vulnerability Database)?
The NVD is the U.S. government's repository of analyzed vulnerability data, built on top of the CVE program — here's what it actually adds, how CVE and NVD relate, and where its data comes from.
Static Source Code Analysis Tools: A Practical Guide
A practical walkthrough of what static source code analysis tools actually check, where they miss, and how to pick one without buying a shelf-ware scanner.
LLM-Augmented Bug Discovery Methodology
A practitioner's methodology for using LLMs to augment — not replace — traditional bug discovery workflows, with patterns that hold up under real review load.
Fixing XXE in Java: A Parser-by-Parser Hardening Guide
A parser-by-parser XXE fix for Java, covering DocumentBuilderFactory, SAXParser, XMLInputFactory, TransformerFactory, and the XML libraries that still ship unsafe defaults.
Bootstrapping a Secure Website Scan Workflow on a Budget
A small team can build a real scanning habit with zero budget — the trick is turning one-off checks into a repeatable workflow before traffic (and risk) grows.
NoSQL Injection: A Practical Tutorial
NoSQL databases don't use SQL syntax, but they're not immune to injection attacks — this NoSQL injection tutorial covers how the attack actually works against MongoDB-style queries.
Java Vulnerability Classes: A Reference List
A java vulnerability list organized by class — deserialization, injection, XXE, and the rest — because Java's ecosystem produces a specific, recurring set of vulnerability patterns worth knowing by name.