sast
Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.
267 articles
Why developers ignore security tools, and how to fix it
Verizon's 2025 DBIR found only 54% of edge-device vulnerabilities get fully remediated within a year. The gap isn't awareness — it's friction and delay.
Finding and fixing XXE vulnerabilities across common XML parsers
XXE is tracked as CWE-611 and lives in OWASP's misconfiguration category — because most XML parsers ship unsafe by default.
Integrating C/C++ security scanning into CI pipelines
Roughly 70% of CVEs Microsoft assigns each year are memory-safety bugs. Here's how to catch them in C/C++ CI pipelines before they ship.
Preventing insecure deserialization in Node.js
A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.
Preventing SMTP injection vulnerabilities in email-sending code
A crafted From address turned PHPMailer into a remote code execution bug in 2016 — here's how header injection works and how to stop it.
How catastrophic regex backtracking causes ReDoS — and how to stop it
A single bad regex took Cloudflare's global network to ~100% CPU for 27 minutes in 2019. Here's the backtracking mechanics behind ReDoS and how to rewrite unsafe patterns.
XPath injection: how it happens and how to stop it in Java, .NET, and PHP
A 2024 GeoServer flaw showed unsanitized input reaching an XPath evaluator can mean remote code execution, not just data leakage. Here's how to prevent it.
The security implications of Node.js worker_threads
Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.
Python linting for security hygiene: what flake8, pylint, and bandit actually catch
Bandit maps findings to CWE IDs like CWE-502 and CWE-78, but flake8 and pylint never look for a vulnerability at all — the three tools solve different problems.
Modern C++ security: smart pointers, bounds checking, and static analysis
Microsoft has said for years that ~70% of the CVEs it patches trace to memory-safety bugs — here's how modern C++ actually closes that gap.
How modern SAST engines model data flow and taint tracking
Linters flag every eval() call; SAST tools flag the two an attacker can reach. Here's how taint tracking works, and what it costs in precision and compute.
Why assert is not a security control in Python
Run Python with -O and every assert statement vanishes from the bytecode — including the ones guarding auth checks and input validation.