Safeguard
Tag

sast

Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.

267 articles

DevSecOps

Why developers ignore security tools, and how to fix it

Verizon's 2025 DBIR found only 54% of edge-device vulnerabilities get fully remediated within a year. The gap isn't awareness — it's friction and delay.

Jul 13, 20266 min read
Application Security

Finding and fixing XXE vulnerabilities across common XML parsers

XXE is tracked as CWE-611 and lives in OWASP's misconfiguration category — because most XML parsers ship unsafe by default.

Jul 13, 20267 min read
Application Security

Integrating C/C++ security scanning into CI pipelines

Roughly 70% of CVEs Microsoft assigns each year are memory-safety bugs. Here's how to catch them in C/C++ CI pipelines before they ship.

Jul 13, 20267 min read
Application Security

Preventing insecure deserialization in Node.js

A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.

Jul 13, 20265 min read
Application Security

Preventing SMTP injection vulnerabilities in email-sending code

A crafted From address turned PHPMailer into a remote code execution bug in 2016 — here's how header injection works and how to stop it.

Jul 13, 20266 min read
Application Security

How catastrophic regex backtracking causes ReDoS — and how to stop it

A single bad regex took Cloudflare's global network to ~100% CPU for 27 minutes in 2019. Here's the backtracking mechanics behind ReDoS and how to rewrite unsafe patterns.

Jul 13, 20266 min read
Application Security

XPath injection: how it happens and how to stop it in Java, .NET, and PHP

A 2024 GeoServer flaw showed unsanitized input reaching an XPath evaluator can mean remote code execution, not just data leakage. Here's how to prevent it.

Jul 13, 20266 min read
Application Security

The security implications of Node.js worker_threads

Node.js worker_threads share memory across V8 isolates by design — CVE-2025-23083 (CVSS 7.7) shows even the permission model meant to contain them can be bypassed.

Jul 12, 20266 min read
Application Security

Python linting for security hygiene: what flake8, pylint, and bandit actually catch

Bandit maps findings to CWE IDs like CWE-502 and CWE-78, but flake8 and pylint never look for a vulnerability at all — the three tools solve different problems.

Jul 12, 20266 min read
Application Security

Modern C++ security: smart pointers, bounds checking, and static analysis

Microsoft has said for years that ~70% of the CVEs it patches trace to memory-safety bugs — here's how modern C++ actually closes that gap.

Jul 11, 20266 min read
Application Security

How modern SAST engines model data flow and taint tracking

Linters flag every eval() call; SAST tools flag the two an attacker can reach. Here's how taint tracking works, and what it costs in precision and compute.

Jul 11, 20266 min read
Application Security

Why assert is not a security control in Python

Run Python with -O and every assert statement vanishes from the bytecode — including the ones guarding auth checks and input validation.

Jul 11, 20266 min read
sast (Page 2) — Safeguard Blog