industry-analysis
Safeguard articles tagged "industry-analysis" — guides, analysis, and best practices for software supply chain and application security.
85 articles
Remote attestation fundamentals for confidential computin...
A practical look at remote attestation for confidential computing: how enclave protocols and hardware verification prove workloads haven't been tampered with.
Key security risks unique to WebAssembly runtimes and mod...
WebAssembly runs your edge functions, service mesh plugins, and smart contracts. Here are the WebAssembly security risks hiding behind the sandbox.
How the WASI security model constrains system access for ...
WASI's capability model gives Wasm modules only the exact files, sockets, and resources they're explicitly granted—but misconfiguration and runtime bugs still leave real gaps to close.
Practical steps to secure third-party WebAssembly plugins...
A step-by-step guide to securing third-party WebAssembly plugins in production: sandboxing, capability restriction, resource limits, provenance checks, and runtime monitoring.
Security considerations for running WebAssembly at the ed...
Wasm's sandbox is safe by default, not safe by construction. Here's where edge WebAssembly security breaks down -- in browsers, at the edge, and in the build pipeline.
NoSQL Injection Attack Techniques
NoSQL injection lets attackers bypass logins and hijack MongoDB/CouchDB apps using operators like $ne and $where. Here's how it works and how to stop it.
Prototype Pollution in JavaScript Applications
Prototype pollution has hit lodash, jQuery, and minimist with real CVEs, from DoS to RCE. Here's how the bug works and how Safeguard catches it before it ships.
Code Injection via eval() and exec() Across Languages
eval() and exec() turn dynamic code execution into remote code execution. A cross-language look at how it happens in Python, JS, PHP, and Ruby.
Broken Function Level Authorization (BFLA) in APIs
BFLA lets a regular user call admin-only API functions. Here's how the USPS, Peloton, and Coinbase incidents happened — and how to catch it before attackers do.
Unrestricted Access to Sensitive Business Flows
OWASP's API10:2023 category covers a threat scanners can't see: bots abusing legitimate business flows like checkout and ticketing at scale. Here's how it works.
Unsafe Consumption of Third-Party APIs
Third-party APIs get trusted more than user input ever would — and attackers know it. Real breaches from Polyfill.io to 3CX show why that trust is misplaced.
CORS Misconfiguration Vulnerabilities
CORS misconfiguration vulnerabilities let attackers steal authenticated API data with a single reflected Origin header. Here's how they happen and how to catch them before release.