Safeguard
Tag

owasp

Safeguard articles tagged "owasp" — guides, analysis, and best practices for software supply chain and application security.

104 articles

Application Security

LDAP injection: a technical primer and defense guide

LDAP injection is CWE-90, dates to the same root cause as SQL injection, and still shipped in production software as recently as CVE-2023-0476.

Jul 8, 20266 min read
Vulnerability Management

The 10 most common code-level vulnerability classes, ranked by real-world data

MITRE's 2025 CWE Top 25 scored 39,080 CVEs — cross-site scripting still ranks #1, but Missing Authorization jumped five spots. Here's how to prevent each class.

Jul 8, 20268 min read
Application Security

CSRF in Node.js: attack mechanics and modern mitigation

Express has never shipped CSRF protection in core, and its most popular middleware, csurf, was archived in 2022 — here's what actually replaces it.

Jul 8, 20267 min read
Application Security

Secure URL Encoding and Decoding in Java

Java's URLEncoder turns spaces into + instead of %20 — a form-encoding quirk that, mixed with double-decoding, still causes path-traversal bugs like CVE-2025-41242 in 2025.

Jul 8, 20266 min read
Application Security

Secure session lifecycle management: tokens, rotation, and cookie flags

OWASP requires session IDs carry at least 64 bits of entropy, yet a 2007 Rails flaw shows one dropped attribute is enough to make fixation trivial.

Jul 8, 20266 min read
Application Security

Robust input validation in Spring Boot: Bean Validation and its bypasses

Bean Validation (JSR-380) looks like a solved problem in Spring Boot, but nested DTOs, list elements, and unannotated service methods routinely skip validation silently.

Jul 8, 20266 min read
Best Practices

Parameterized queries across languages: the real defense against SQL injection

SQL injection (CWE-89) still ranks #3 on the OWASP Top 10, but every major language has shipped a native, built-in fix for over a decade — most breaches happen anyway.

Jul 8, 20267 min read
Application Security

Web cache poisoning: attack mechanics and prevention

A 2024 academic scan of the Tranco Top 1000 domains found roughly 17% vulnerable to web cache poisoning — here's how the attack works and how to stop it at the edge.

Jul 8, 20266 min read
Application Security

Preventing SQL injection in Node.js applications

CWE-89 is a 25-year-old bug class, but Node's template literals make it trivially easy to reintroduce in mysql2, pg, and even Sequelize's raw-query escape hatch.

Jul 7, 20267 min read
Application Security

Preventing SSRF in Node.js applications

A single unvalidated URL in a fetch or axios call can let an attacker reach 169.254.169.254 and steal cloud credentials — as the 2019 Capital One breach showed.

Jul 7, 20266 min read
Security Guides

REST API Security Best Practices: The OWASP API Top 10 in Practice

Most API breaches aren't exotic — they're broken object-level authorization and missing rate limits. A practical walk through the OWASP API Security Top 10.

Jul 6, 20265 min read
Guides

Secure Coding for Beginners: Writing Code That Resists Attack

Secure coding is not a separate discipline you bolt on later. It is a set of small habits you weave into the way you already write software. Here is a friendly introduction with a first exercise to try today.

Jul 5, 20266 min read
owasp (Page 3) — Safeguard Blog