appsec
Safeguard articles tagged "appsec" — guides, analysis, and best practices for software supply chain and application security.
339 articles
CSRF Attacks: How They Work and How Tokens Stop Them
A CSRF attack rides a logged-in user's browser to forge requests they never meant to send. Here is the mechanism and why anti-CSRF tokens defeat it.
SQL Injection Basics for Engineers Who Aren't Security Specialists
SQL injection is still one of the most common ways applications get breached, and the fix is usually a one-line change — this walks through the basics with a real example.
SQL Injection Prevention Techniques That Actually Work
SQL injection prevention comes down to one non-negotiable technique — parameterized queries — plus a short list of layered defenses that catch what a single control misses.
DevSecOps Definition: How It Differs From DevOps and SecOps Alone
The devsecops definition that actually matters isn't a new tool category — it's making security a shared responsibility across the pipeline instead of a gate at the end.
Application Vulnerabilities: The Common Classes Explained
Injection, broken access control, and misconfiguration account for most real-world breaches. Here's a plain map of the classes that matter and how each one is actually exploited.
What Is DevSecOps? Explained in Plain Terms
A plain-terms answer to devsecops o que e, the Portuguese-language version of 'what is DevSecOps,' with the same explanation that applies regardless of what language you searched in.
XSS Script Examples, Annotated
Reading a real xss script example line by line makes cross-site scripting concrete in a way definitions rarely do — here are annotated examples across the three main XSS types.
XXE Attacks Explained: XML External Entity Injection
How an XXE attack turns a trusting XML parser into a file-reading, request-forging liability, with a concrete Java example and the parser flags that shut it down.
What Does SAST Stand For, Exactly?
SAST stands for static application security testing — analyzing source code for vulnerabilities without ever running the program, which is what separates it from every dynamic testing approach.
Building a Security Champions Program
A step-by-step guide to launching a security champions program that scales your security team's influence across engineering without hiring a dozen new AppSec engineers.
HTTP Request Smuggling: A Practical Guide
HTTP request smuggling exploits disagreements between frontend and backend servers about where one request ends and the next begins. This guide covers CL.TE, TE.CL, and TE.TE variants with detection and defense strategies.
Authentication Bypass: Common Patterns Attackers Exploit
Authentication bypass vulnerabilities let attackers access protected resources without valid credentials. This guide covers the most common bypass patterns found in modern web applications and how to prevent each one.