Safeguard
Tag

java

Safeguard articles tagged "java" — guides, analysis, and best practices for software supply chain and application security.

70 articles

Container Security

Using jlink to Build Minimal, Lower-Attack-Surface Java Docker Images

jlink has shipped with every JDK since Java 9 in 2017, yet most Spring Boot images still ship a full 300MB+ JDK. Here's how to fix that.

Jul 8, 20266 min read
Best Practices

Installing and Verifying Java on macOS Securely

A SHA-256 checksum only proves a JDK download wasn't corrupted in transit — it takes a GPG signature check to prove it actually came from the vendor you trust.

Jul 8, 20266 min read
Best Practices

Defensive Java: coding patterns that stop NullPointerExceptions from becoming outages

NPE has been Java's most common runtime exception since JDK 1.0 in 1996 — Optional, JSpecify annotations, and static analysis can turn most of them into compile-time errors.

Jul 8, 20267 min read
Application Security

Java SecurityManager is gone: a practical migration guide

JEP 411 deprecated the Security Manager in JDK 17; JEP 486 disabled it outright in JDK 24, released March 18, 2025. Here's how to migrate before it's removed for good.

Jul 8, 20267 min read
Application Security

Secure URL Encoding and Decoding in Java

Java's URLEncoder turns spaces into + instead of %20 — a form-encoding quirk that, mixed with double-decoding, still causes path-traversal bugs like CVE-2025-41242 in 2025.

Jul 8, 20266 min read
Application Security

Robust input validation in Spring Boot: Bean Validation and its bypasses

Bean Validation (JSR-380) looks like a solved problem in Spring Boot, but nested DTOs, list elements, and unannotated service methods routinely skip validation silently.

Jul 8, 20266 min read
Application Security

Thymeleaf SSTI risk patterns: how a tab character bypassed a Java template sandbox

CVE-2026-40478 shows how a single tab character bypassed Thymeleaf's expression sandbox, turning misused templates into remote code execution.

Jul 8, 20266 min read
Security Guides

Java Secrets Management: Getting Credentials Out of Your Code

Hardcoded credentials are among the most common findings in Java codebases. Here's how to externalize, rotate, and protect secrets properly in 2026.

Jul 7, 20265 min read
Vulnerability Analysis

Text4Shell (CVE-2022-42889) Explained: RCE in Apache Commons Text Interpolation

CVE-2022-42889, Text4Shell, let attackers run code through Apache Commons Text's string interpolation when apps passed untrusted input to StringSubstitutor. Here is the flaw and why it was narrower than feared.

Jul 7, 20265 min read
Security Guides

JVM Supply Chain Security: Securing the Path from Source to Artifact

Your JVM supply chain spans repositories, build tools, plugins, and artifacts. Here's how to secure each link — from dependency confusion to artifact signing.

Jul 6, 20265 min read
Security Guides

Spring Framework Security Guide (2026)

Spring Framework is the backbone of enterprise Java — and the source of Spring4Shell plus a steady stream of path-traversal and SSRF CVEs. Here is how to run it safely in 2026.

Jul 6, 20266 min read
Security Guides

Java SQL Injection Prevention: Parameterized Queries and Beyond

SQL injection is decades old and still breaching Java apps. Here's how to prevent it with prepared statements, JPA binding, and safe dynamic queries.

Jul 5, 20265 min read
java (Page 2) — Safeguard Blog