appsec
Safeguard articles tagged "appsec" — guides, analysis, and best practices for software supply chain and application security.
339 articles
What Is a Security Champions Program?
AppSec teams are outnumbered 100 to 1 by developers. A security champions program is the only staffing model that scales — here is how to build one that lasts.
IAST Security: Interactive Application Security Testing Explained
IAST security instruments a running application to watch real requests flow through real code, catching vulnerabilities that static analysis and black-box scanning both miss.
Types of Vulnerability Assessment, Explained
Not every vulnerability assessment tests the same thing. Here's how network, application, host, and wireless assessments differ, and when each one is the right call.
Software Security Issues: A Triage Framework
Most teams triage software security issues by severity score alone, which routinely gets the priority order wrong. A better framework weighs reachability and exposure too.
Tools in Cyber Security: A Starter Map by Category
The tools in cyber security span network defense, application security, identity, and data protection, and the fastest way to get oriented is a map by category rather than a vendor list.
Software Security Testing: A Practitioner's Overview
Software security testing spans static analysis, dynamic testing, dependency scanning, and manual review — a practical map of which method catches what, written for people who actually run these programs.
GitGuardian vs TruffleHog: Secret Detection Showdown
Compare GitGuardian and TruffleHog on detector coverage, validation, historical scans, developer workflow, and pricing to pick the right secret scanning tool.
OWASP 10 vs OWASP Top 10: Clearing Up the Confusion
"OWASP 10" isn't a separate standard — it's shorthand people search for the OWASP Top 10, and the confusion usually starts with which Top 10 they actually mean.
SAST Full Form and What It Actually Tests
SAST stands for static application security testing — analyzing source code without running it. Here's exactly what it catches, what it misses, and how it fits a pipeline.
Semgrep vs CodeQL: SAST Comparison
Compare Semgrep and CodeQL on rule authoring, language coverage, taint analysis, scan time, IDE integration, and pricing to choose the right SAST engine in 2024.
SSRF Examples and How They're Actually Exploited
Real SSRF examples, from cloud metadata theft to internal port scanning, showing exactly how a server-side request forgery bug gets turned into a full compromise.
SQL Injection Examples: Classic and Modern Attack Patterns
Real SQL injection examples from classic login bypass to blind, time-based, and ORM-era attacks, plus how to test for each one safely.