Safeguard
Tag

sast

Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.

267 articles

Industry Analysis

XXE Prevention in Java: Hardening DocumentBuilderFactory

Java's DocumentBuilderFactory parses XML with external entities on by default, turning XML uploads into file-read and SSRF vectors. Here is how to lock it down.

Oct 22, 20258 min read
Industry Analysis

Secure Random Number Generation in Go with crypto/rand

Go's math/rand is fast but predictable. Here's why crypto/rand is the only safe choice for tokens, keys, and nonces -- and what changed in Go 1.20-1.24.

Oct 19, 20258 min read
DevSecOps

OWASP Secure Coding Practices: A Working Checklist

OWASP secure coding practices boil down to a handful of checks that catch most real-world vulnerabilities — here's the checklist teams actually use, not the full 200-item reference.

Sep 18, 20255 min read
AppSec

Source Code Analysis Tools: SAST, Linters, and Semantic Engines

Not all source code analysis tools do the same job. Linters, pattern-based SAST, and semantic dataflow engines catch different bug classes, and mixing them up wastes budget.

Sep 16, 20256 min read
Supply Chain

SCA vs Static Code Analysis: The Real Difference

Software composition analysis and static code analysis get lumped together constantly, but they read entirely different things and catch entirely different bugs.

Sep 15, 20256 min read
Application Security

How Snyk Code's semantic analysis engine builds a code mo...

A mechanical look at how Snyk Code's semantic analysis engine parses source into a code model, tracks data flow across files, and prioritizes vulnerability findings.

Sep 14, 20257 min read
Application Security

Inside DeepCode AI: how Snyk Code's ML models are trained...

How Snyk's DeepCode AI turns millions of open-source commit fixes into the symbolic-AI and ML models powering Snyk Code's vulnerability detection and autofixes.

Sep 14, 20258 min read
Application Security

How taint analysis works in Snyk Code: tracking data from...

Snyk Code traces untrusted data from source to sink using interprocedural static analysis and ML ranking. Here's how the taint-tracking mechanics work.

Sep 14, 20258 min read
Application Security

How Snyk Code performs interprocedural data-flow analysis...

How Snyk Code tracks tainted data across function and file boundaries using call-graph summaries, taint propagation, and hybrid symbolic AI rules.

Sep 14, 20258 min read
Application Security

How Snyk Code models control flow to catch race condition...

A mechanical look at how Snyk Code builds control flow and data flow graphs to trace paths that produce race conditions and null pointer dereferences.

Sep 13, 20257 min read
Application Security

How Snyk Code distinguishes sanitizers from insecure sour...

How Snyk Code's taint-tracking engine tells sanitizers apart from insecure sources and sinks, and where the source-sink-sanitizer model still needs human review.

Sep 13, 20258 min read
Application Security

Why Snyk Code's semantic approach produces fewer false po...

Snyk Code cuts SAST false positives using semantic analysis: AST/data-flow graphs plus ML trained on real code, not regex patterns. Here is how the mechanics work.

Sep 13, 20257 min read
sast (Page 16) — Safeguard Blog