Safeguard
Tag

java

Safeguard articles tagged "java" — guides, analysis, and best practices for software supply chain and application security.

70 articles

DevSecOps

SpotBugs Security Detectors for Java: A Practical Guide

SpotBugs with Find Security Bugs is the most effective free security analysis tool for Java. Here is how to get real results from it.

Jun 22, 20234 min read
Software Supply Chain Security

Maven Plugin Verification: Trusting Your Build-Time Dependencies

Maven plugins execute during your build with full system access. Verifying them is harder than verifying runtime dependencies, and most teams skip it.

Apr 15, 20234 min read
Dependency Security

Java Maven and Gradle Dependency Security

How to secure your Java dependency chain across Maven and Gradle builds, from signature verification to repository management.

Mar 8, 20234 min read
Software Supply Chain Security

Maven Dependency Resolution Attacks: Exploiting Java's Build System

Maven's dependency resolution mechanism can be exploited through repository poisoning, dependency confusion, and POM manipulation. Here is what Java teams need to know.

Mar 5, 20235 min read
Incident Analysis

The Log4Shell Response Playbook Six Months In

Six months after CVE-2021-44228 broke the internet, here is what worked, what didn't, and the response patterns security teams should keep as muscle memory.

Jun 12, 20226 min read
Supply Chain Attacks

Maven Central Supply Chain Risks: Securing the Java Ecosystem

Maven Central is the backbone of the Java ecosystem, serving billions of artifact downloads annually. Its unique trust model and dependency resolution create supply chain risks that Java teams must understand.

May 15, 20226 min read
Vulnerability Management

Spring4Shell (CVE-2022-22965) Response Analysis

A 2010-era bypass resurfaced as CVE-2022-22965 on Spring Framework for JDK 9+. Here is how the disclosure, patch, and industry response actually went.

Apr 2, 20226 min read
Vulnerability Analysis

Spring4Shell vs Log4Shell: Comparing Two Java Framework Crises

Both scored 9.8 on CVSS. Both affected millions of Java applications. But Log4Shell and Spring4Shell had fundamentally different blast radii. Here's a direct comparison.

Apr 2, 20226 min read
Vulnerability Analysis

Spring4Shell (CVE-2022-22965): Remote Code Execution in Spring Framework

A critical RCE in Spring Framework sent Java teams scrambling. While less catastrophic than Log4Shell, Spring4Shell exposed dangerous assumptions about ClassLoader access in Java web applications.

Mar 31, 20225 min read
Vulnerability Analysis

Log4Shell Vulnerability (CVE-2021-44228) Explained

The most critical vulnerability in a decade dropped on a Friday. Log4Shell affects virtually every Java application and is trivial to exploit. Here's what happened.

Dec 13, 20215 min read
java (Page 6) — Safeguard Blog