owasp
Safeguard articles tagged "owasp" — guides, analysis, and best practices for software supply chain and application security.
104 articles
JWT security vulnerabilities and best practices
The jsonwebtoken library shipped three separate signature-bypass CVEs between 2015 and 2022 — algorithm confusion is still the most common way JWTs fail.
The OWASP Top 10 for LLM Applications, Explained With Real Examples
OWASP's LLM security list has grown from a 2023 side project into a 600+ expert initiative. Here's what each of the ten risks actually looks like in production.
AI-driven DAST for modern applications
73% of open-source developers now use AI coding tools. Dynamic testing built for nightly crawls can't keep pace with apps that reshape their attack surface daily.
The OWASP Top 10 for LLM Applications, Explained
The OWASP LLM Top 10 is the closest thing the field has to a shared checklist for AI security. Here is what each of the ten risks actually means, in plain language, with the defenses that matter.
The Go Web Application Security Checklist: Server Hardening to Output Encoding
A field-tested checklist for Go web services — the http.Server timeouts nobody sets, html/template escaping traps, auth and session hygiene, and the headers that actually matter.
Running Capture the Flag exercises for internal security training
DEF CON CTF has run since 1996, yet most engineering orgs still train security awareness with slide decks instead of the format that actually built the industry.
Python code injection: eval, exec, and pickle explained
eval(), exec(), and pickle.load() can each hand an attacker a Python interpreter — CVE-2020-1747 shows how one unsafe deserialization call became a real RCE.
Why AI-generated code needs DAST, not just SAST
Copilot-generated code carried vulnerabilities in ~40% of cases in a 2021 NYU study. Static scanning alone cannot catch the runtime-only bug classes LLMs introduce.
DOM clobbering: the XSS attack that never runs a script tag
DOM clobbering lets attackers hijack JavaScript logic using pure HTML — no <script> tag required — and it just bypassed DOMPurify's own sanitizer in 2026.
Ethical hacking techniques, mapped to a responsible disclosure workflow
Recon, enumeration, exploitation, and privilege escalation aren't just attacker steps — Log4Shell's 15-day gap between private report and public exploit shows why each maps to a disclosure decision.
Guardrails for Autonomous AI Agents: Allowlisting, Validation, and Human-in-the-Loop
OWASP's 2025 LLM Top 10 splits Excessive Agency into three root causes. Here's how tool allowlisting, output validation, and approval gates address each one.
Secure JWT handling: algorithm confusion, expiry, and storage done right
A single unchecked `alg` header turned jsonwebtoken into a forgeable token in CVE-2015-9235 — here's how to close every hole RFC 8725 warns about.