Safeguard
Tag

sast

Safeguard articles tagged "sast" — guides, analysis, and best practices for software supply chain and application security.

267 articles

Application Security

Designing an application security program from first principles

Two backdoors nine years apart — event-stream in 2018, XZ Utils in 2024 — show why code-only AppSec programs fail. Here's a four-layer framework built from scratch.

Jul 8, 20267 min read
Application Security

Bytecode vs. source analysis: static analysis techniques for Java and Kotlin

SpotBugs scans compiled .class files for 400+ bug patterns; Semgrep parses source directly. Neither alone would have caught CVE-2015-7501 fast enough.

Jul 8, 20265 min read
Application Security

Java SecurityManager is gone: a practical migration guide

JEP 411 deprecated the Security Manager in JDK 17; JEP 486 disabled it outright in JDK 24, released March 18, 2025. Here's how to migrate before it's removed for good.

Jul 8, 20267 min read
Application Security

Wiring dependency and SAST scanning into your JavaScript CLI workflow

npm audit has shipped for free since npm 6 in 2018, yet most JavaScript teams still find out about vulnerable dependencies in a Slack alert, not a failed commit.

Jul 8, 20267 min read
AI Security

LLM-assisted vulnerability autofixing: approaches and how to validate the patches

At DARPA's AIxCC finals in August 2025, AI systems patched 68% of vulnerabilities they found — up from 25% at semifinals. Here's how the approaches differ and why validation still matters most.

Jul 8, 20267 min read
Vulnerability Management

The 10 most common code-level vulnerability classes, ranked by real-world data

MITRE's 2025 CWE Top 25 scored 39,080 CVEs — cross-site scripting still ranks #1, but Missing Authorization jumped five spots. Here's how to prevent each class.

Jul 8, 20268 min read
Application Security

The security case for Node.js's newer runtime features

Node's permission model went stable in v23.5.0, the built-in test runner in v20 — both quietly shrink attack surface, but neither is the sandbox teams assume it is.

Jul 8, 20267 min read
Application Security

PHPStan vs. Psalm: setting up PHP static analysis to catch security bugs pre-commit

Psalm ships free taint analysis out of the box; PHPStan doesn't track data flow at all without extensions. Here's how to wire either one into pre-commit.

Jul 8, 20266 min read
Application Security

The three dimensions of Python static analysis, and where each one blinds itself

AST scanners, taint trackers, and type checkers each solve a different problem — and each has a documented blind spot that lets real bugs through untouched.

Jul 8, 20266 min read
Application Security

Secure conditional rendering in React and Next.js Server Components

A CVSS 10.0 React Server Components flaw, patched in December 2025, shows why {isAdmin && <Panel/>} isn't access control — the data ships to the client either way.

Jul 8, 20266 min read
AI Security

The blind spots of single-model AI security tooling

OpenAI's API went down three separate times in 2024 alone — if your SAST pipeline hard-depends on one model provider, its outages and blind spots become yours.

Jul 8, 20266 min read
DevSecOps

Wiring SAST Findings Into ITSM: The Overlooked Lever for MTTR

The 2026 Verizon DBIR found median patch time hit 43 days, up from 32 — and much of that gap is ticket handoff friction, not fix difficulty.

Jul 8, 20266 min read
sast (Page 5) — Safeguard Blog