Safeguard
Tag

owasp

Safeguard articles tagged "owasp" — guides, analysis, and best practices for software supply chain and application security.

104 articles

Application Security

JWT security vulnerabilities and best practices

The jsonwebtoken library shipped three separate signature-bypass CVEs between 2015 and 2022 — algorithm confusion is still the most common way JWTs fail.

Jul 10, 20266 min read
AI Security

The OWASP Top 10 for LLM Applications, Explained With Real Examples

OWASP's LLM security list has grown from a 2023 side project into a 600+ expert initiative. Here's what each of the ten risks actually looks like in production.

Jul 10, 20268 min read
Application Security

AI-driven DAST for modern applications

73% of open-source developers now use AI coding tools. Dynamic testing built for nightly crawls can't keep pace with apps that reshape their attack surface daily.

Jul 9, 20267 min read
AI Security

The OWASP Top 10 for LLM Applications, Explained

The OWASP LLM Top 10 is the closest thing the field has to a shared checklist for AI security. Here is what each of the ten risks actually means, in plain language, with the defenses that matter.

Jul 8, 20266 min read
Security Guides

The Go Web Application Security Checklist: Server Hardening to Output Encoding

A field-tested checklist for Go web services — the http.Server timeouts nobody sets, html/template escaping traps, auth and session hygiene, and the headers that actually matter.

Jul 8, 20266 min read
Best Practices

Running Capture the Flag exercises for internal security training

DEF CON CTF has run since 1996, yet most engineering orgs still train security awareness with slide decks instead of the format that actually built the industry.

Jul 8, 20267 min read
Application Security

Python code injection: eval, exec, and pickle explained

eval(), exec(), and pickle.load() can each hand an attacker a Python interpreter — CVE-2020-1747 shows how one unsafe deserialization call became a real RCE.

Jul 8, 20265 min read
AI Security

Why AI-generated code needs DAST, not just SAST

Copilot-generated code carried vulnerabilities in ~40% of cases in a 2021 NYU study. Static scanning alone cannot catch the runtime-only bug classes LLMs introduce.

Jul 8, 20266 min read
Application Security

DOM clobbering: the XSS attack that never runs a script tag

DOM clobbering lets attackers hijack JavaScript logic using pure HTML — no <script> tag required — and it just bypassed DOMPurify's own sanitizer in 2026.

Jul 8, 20266 min read
Best Practices

Ethical hacking techniques, mapped to a responsible disclosure workflow

Recon, enumeration, exploitation, and privilege escalation aren't just attacker steps — Log4Shell's 15-day gap between private report and public exploit shows why each maps to a disclosure decision.

Jul 8, 20266 min read
AI Security

Guardrails for Autonomous AI Agents: Allowlisting, Validation, and Human-in-the-Loop

OWASP's 2025 LLM Top 10 splits Excessive Agency into three root causes. Here's how tool allowlisting, output validation, and approval gates address each one.

Jul 8, 20266 min read
Application Security

Secure JWT handling: algorithm confusion, expiry, and storage done right

A single unchecked `alg` header turned jsonwebtoken into a forgeable token in CVE-2015-9235 — here's how to close every hole RFC 8725 warns about.

Jul 8, 20266 min read
owasp (Page 2) — Safeguard Blog