sast
Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.
267 articles
Designing an application security program from first principles
Two backdoors nine years apart — event-stream in 2018, XZ Utils in 2024 — show why code-only AppSec programs fail. Here's a four-layer framework built from scratch.
Bytecode vs. source analysis: static analysis techniques for Java and Kotlin
SpotBugs scans compiled .class files for 400+ bug patterns; Semgrep parses source directly. Neither alone would have caught CVE-2015-7501 fast enough.
Java SecurityManager is gone: a practical migration guide
JEP 411 deprecated the Security Manager in JDK 17; JEP 486 disabled it outright in JDK 24, released March 18, 2025. Here's how to migrate before it's removed for good.
Wiring dependency and SAST scanning into your JavaScript CLI workflow
npm audit has shipped for free since npm 6 in 2018, yet most JavaScript teams still find out about vulnerable dependencies in a Slack alert, not a failed commit.
LLM-assisted vulnerability autofixing: approaches and how to validate the patches
At DARPA's AIxCC finals in August 2025, AI systems patched 68% of vulnerabilities they found — up from 25% at semifinals. Here's how the approaches differ and why validation still matters most.
The 10 most common code-level vulnerability classes, ranked by real-world data
MITRE's 2025 CWE Top 25 scored 39,080 CVEs — cross-site scripting still ranks #1, but Missing Authorization jumped five spots. Here's how to prevent each class.
The security case for Node.js's newer runtime features
Node's permission model went stable in v23.5.0, the built-in test runner in v20 — both quietly shrink attack surface, but neither is the sandbox teams assume it is.
PHPStan vs. Psalm: setting up PHP static analysis to catch security bugs pre-commit
Psalm ships free taint analysis out of the box; PHPStan doesn't track data flow at all without extensions. Here's how to wire either one into pre-commit.
The three dimensions of Python static analysis, and where each one blinds itself
AST scanners, taint trackers, and type checkers each solve a different problem — and each has a documented blind spot that lets real bugs through untouched.
Secure conditional rendering in React and Next.js Server Components
A CVSS 10.0 React Server Components flaw, patched in December 2025, shows why {isAdmin && <Panel/>} isn't access control — the data ships to the client either way.
The blind spots of single-model AI security tooling
OpenAI's API went down three separate times in 2024 alone — if your SAST pipeline hard-depends on one model provider, its outages and blind spots become yours.
Wiring SAST Findings Into ITSM: The Overlooked Lever for MTTR
The 2026 Verizon DBIR found median patch time hit 43 days, up from 32 — and much of that gap is ticket handoff friction, not fix difficulty.