Safeguard
Tag

sast

Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.

267 articles

AI Security

Where AI actually helps AppSec — and where it quietly makes things worse

One 2025 benchmark found an LLM filter cut Semgrep's false positives by 88.6% — while a separate study found GPT-4 alone flagging vulnerabilities was wrong more often than right.

Jul 8, 20267 min read
Application Security

How AI-powered SAST auto-fix engines actually work

GitHub says Copilot Autofix resolves two-thirds of flagged vulnerabilities with little editing; Snyk claims 80% fix accuracy. Here's the pipeline behind both numbers.

Jul 8, 20268 min read
Application Security

ASPM fundamentals: what application security posture management actually aggregates

Gartner coined the ASPM term in May 2023 and projects over 40% of organizations building software will adopt it by 2026 — here is what it actually does.

Jul 8, 20266 min read
Application Security

ASPM fundamentals for security teams

Gartner projects over 40% of organizations will adopt Application Security Posture Management by 2026 — here's what it actually aggregates and how to judge if yours is working.

Jul 8, 20266 min read
Application Security

A framework for integrating ASPM into an existing AppSec program

Gartner defined ASPM in May 2023 as a correlation layer, not a rip-and-replace — here's how to fold it into a toolchain you already run.

Jul 8, 20266 min read
Application Security

Python code injection: eval, exec, and pickle explained

eval(), exec(), and pickle.load() can each hand an attacker a Python interpreter — CVE-2020-1747 shows how one unsafe deserialization call became a real RCE.

Jul 8, 20265 min read
AI Security

Code injection risks in GenAI-generated code

Nearly 40% of GitHub Copilot's suggested programs contain exploitable vulnerabilities, and 19.7% of AI-generated code samples reference packages that don't exist.

Jul 8, 20267 min read
Application Security

Command injection in Python: subprocess, os.system, and safe-by-default patterns

os.system() and subprocess.run(shell=True) both hand a string straight to /bin/sh — one unescaped semicolon is enough to run arbitrary commands.

Jul 8, 20266 min read
AI Security

Why AI-generated code needs DAST, not just SAST

Copilot-generated code carried vulnerabilities in ~40% of cases in a 2021 NYU study. Static scanning alone cannot catch the runtime-only bug classes LLMs introduce.

Jul 8, 20266 min read
DevSecOps

The four-phase roadmap for adopting DevSecOps

Google Cloud's 2024 DORA report found AI-tool adoption correlated with worse delivery performance for the second year running — tool sprawl without a plan makes DevSecOps worse, not better.

Jul 8, 20267 min read
DevSecOps

A reference architecture for SAST, SCA, and DAST gates that don't block developers

Log4Shell sat exploitable for 8 days before public disclosure in December 2021 — the canonical case for why security gates belong in CI, not just at release.

Jul 8, 20267 min read
Application Security

Command injection in Go: os/exec, exec.Command, and how it still goes wrong

Go's exec.Command never invokes a shell — yet CWE-78 command injection keeps shipping in Go services. Here's exactly how, and how gosec's G204 rule catches it.

Jul 8, 20266 min read
sast (Page 4) — Safeguard Blog