owasp
Safeguard articles tagged "owasp" — guides, analysis, and best practices for software supply chain and application security.
104 articles
Application Layer Security: What It Covers (and What It Doesn't)
Application layer security protects the code, logic, and APIs at the top of the OSI stack, but it's easy to confuse it with network or infrastructure security controls that solve a different problem.
Serialization vs. Deserialization in Java: Security Implications
The difference between serialization and deserialization in Java is simple to state and dangerous to get wrong — deserialization of untrusted data has caused some of the highest-severity Java CVEs of the last decade.
OWASP ASVS 5.0 Adoption Guide
OWASP ASVS 5.0 restructured the verification levels and added new requirements for modern stacks. A practical adoption guide for teams using ASVS as their security baseline.
OWASP Webinars and Training Resources Worth Your Time
Most application security teams already know OWASP by reputation but rarely tap its live training — here's which formats are worth blocking calendar time for.
OWASP LLM Top 10 2025: System Prompt Leakage and Vector Weaknesses
The OWASP Top 10 for LLM Applications 2025 added System Prompt Leakage and Vector/Embedding Weaknesses, and elevated Sensitive Information Disclosure to #2. Here is the defender view.
Secure Code Review: A Practical Checklist
Secure code reviews catch a different category of bug than functional code review, and having a repeatable checklist keeps reviewers from relying on memory for the same handful of recurring flaws.
Unrestricted File Upload Vulnerabilities: Risks and Fixes
An unrestricted file upload vulnerability lets an attacker place a working web shell on your server through a form that was only ever supposed to accept profile pictures or PDFs.
SSRF Attacks: How Server-Side Request Forgery Works
SSRF tricks a server into making requests an attacker controls — reaching internal services, cloud metadata endpoints, and data no external user should touch. Here is how it works and how to stop it.
SQL Injection: How It Works and How It's Actually Tested
A defender's walkthrough of how SQL injection works and how security testers actually verify it in a controlled, authorized assessment — not a how-to-attack guide.
A CSRF Example: Full Attack Walkthrough
A concrete csrf example — a bank transfer form with no anti-forgery token — showing exactly how a forged request rides in on a victim's session and what stops it.
XSS Scripting Attacks: A Refresher for Engineers
XSS scripting attacks still make the OWASP Top 10 more than two decades after they were first documented, mostly because the fix is context-dependent and easy to get almost-right.
What Is CWE? The Common Weakness Enumeration Explained
CWE catalogs the underlying software weakness behind a vulnerability, not the specific instance of it — here's how it relates to CVE and why scanners tag findings with a CWE ID.