runtime-security
Safeguard articles tagged "runtime-security" — guides, analysis, and best practices for software supply chain and application security.
56 articles
Node.js runtime CVE roundup
A roundup of Node.js runtime CVEs since 2024 — command injection, HTTP smuggling, permission bypasses, and why runtime flaws evade typical dependency scanners.
Best IAST tools for runtime application security testing
A practical, no-fluff comparison of IAST tools for runtime application security testing — evaluation criteria, honest vendor tradeoffs, and where supply chain risk still slips through.
Best cloud workload protection platforms (CWPP)
An honest, no-hype comparison of leading cloud workload protection platforms — evaluation criteria, real vendor tradeoffs, and where supply chain security fits in.
CVE-2019-1075: Denial of service in .NET Core
CVE-2019-1075 is a 2019 denial-of-service flaw in .NET Core that let unauthenticated attackers crash web apps with crafted requests. Here's what to know.
Runtime Threat Detection in Cloud-Native Environments
Static analysis catches known vulnerabilities. Runtime detection catches exploitation. Here is how to implement runtime threat detection for containerized workloads.
eBPF and OpenTelemetry: The New Instrumentation Layer for...
eBPF and OpenTelemetry are becoming AppSec's new runtime instrumentation layer, catching supply chain attacks like the xz backdoor that static scanners miss entirely.
Kubernetes SecurityContext, Field by Field
SecurityContext in Kubernetes is where pod and container hardening actually lives — here's what each field controls and which defaults you should never leave in place.
Docker Container Security: A Hardening Checklist
Most container breaches trace back to a handful of avoidable mistakes — root users, bloated images, exposed sockets, unscanned dependencies. This checklist closes them, image to runtime.
eBPF Security Controls: A Production Experience Report
Field notes on running Tetragon, Falco, and Cilium eBPF controls in production Kubernetes clusters, with observed overhead, policy traps, and kernel constraints.
containerd Security Configuration Guide
containerd runs most of Kubernetes today. Its defaults are reasonable, but reasonable is not hardened. Here is how to close the gaps.
Node.js Permission Model: Restricting What Your Code Can Do
Node.js finally has an experimental permission model. It is a significant step toward containing supply chain attacks, but it has important limitations.
gVisor Runtime Security Deep Dive
gVisor intercepts syscalls in userspace and implements a minimal kernel in Go. It is a genuinely different approach, with genuinely different trade-offs.