best-practices
Safeguard articles tagged "best-practices" — guides, analysis, and best practices for software supply chain and application security.
105 articles
Secure code review: the checklist reviewers actually need
Broken access control affects nearly every tested app and XSS remains the #1 CWE overall — both catchable in review. Here is a language-agnostic PR checklist.
Ransomware defense strategy for engineering teams
Ransomware hit 44% of breaches in Verizon's 2025 DBIR, up from 32% a year prior. Here's the backup, access, and detection playbook that actually stops it.
Secure Coding Fundamentals: A No-Jargon Checklist for New Developers
Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.
AppSec anti-patterns to eliminate
23.8M secrets leaked on public GitHub in 2024 alone. Here are the AppSec anti-patterns behind numbers like that — and the concrete practices that replace them.
The security hygiene checklist most engineering orgs still skip
22% of breaches start with stolen credentials, per Verizon's 2025 DBIR. A quarter-long hygiene checklist — patching, MFA, secrets, least privilege — closes most of that gap.
Writing your first Jest unit tests for security-critical JavaScript
Jest ships to ~41M weekly npm installs with assertions, mocking, and coverage built in — here's how to structure your first tests around security logic.
Webhook security best practices: HMAC signing, replay protection, and IP allowlisting
Stripe gives webhook signatures a 5-minute tolerance window; GitHub signs with HMAC-SHA256. Here's how to build inbound and outbound webhooks that survive both.
Building a secure coding culture: training, champions, and incentives that stick
Verizon's 2025 DBIR found the human element in ~60% of breaches. A practical playbook for training, champions programs, and incentives that actually change developer behavior.
Defensive Java: coding patterns that stop NullPointerExceptions from becoming outages
NPE has been Java's most common runtime exception since JDK 1.0 in 1996 — Optional, JSpecify annotations, and static analysis can turn most of them into compile-time errors.
Secrets detection to prevent data breaches
GitGuardian found 12.8 million new secrets exposed on public GitHub in 2023, up 28% year over year — and most of them stayed live for days after leaking.
Symmetric vs Asymmetric Encryption in Python: A Practical Guide
One key or two? A working comparison of Fernet and RSA in Python's cryptography library — with the OAEP-vs-PKCS1v15 mistake that still causes padding-oracle bugs.
6 free GitHub security settings every maintainer should e...
GitHub Advanced Security costs per committer, but six free GitHub repository security settings — from 2FA to secret scanning — already stop most real-world supply chain attacks.