secure-coding
Safeguard articles tagged "secure-coding" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Building AppSec Training Programs That Actually Change Behavior
OWASP's 2021 Top 10 added Insecure Design as its largest category by CWE count, yet most developer training still teaches syntax, not decisions.
Implementing TLS in Java applications: keystores, trust managers, and protocol pinning done right
One overridden checkServerTrusted() method disables certificate validation for an entire Java app — and it still ships to production more often than most teams admit.
The OWASP Top 10:2025, explained with minimal fix-it code
OWASP reordered its Top 10 for 2025 — Broken Access Control is back at #1 and a new Mishandling of Exceptional Conditions category debuts at #10.
Path traversal, decoded: canonicalization patterns across languages
CVE-2021-41773 turned a broken path-normalization routine in Apache 2.4.49 into remote code execution. Here's how canonicalization stops the whole bug class.
Secure Coding Fundamentals: A No-Jargon Checklist for New Developers
Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.
Preventing mass assignment in Spring MVC and Spring Boot
CWE-915 mass assignment lets one extra JSON field turn a profile update into a privilege escalation — here's how DTOs beat @JsonIgnore in Spring.
Why developers ignore security tools, and how to fix it
Verizon's 2025 DBIR found only 54% of edge-device vulnerabilities get fully remediated within a year. The gap isn't awareness — it's friction and delay.
How catastrophic regex backtracking causes ReDoS — and how to stop it
A single bad regex took Cloudflare's global network to ~100% CPU for 27 minutes in 2019. Here's the backtracking mechanics behind ReDoS and how to rewrite unsafe patterns.
Contributing to open source securely: a guide for new maintainers and PR authors
It took roughly two years of trusted commits before the xz-utils backdoor shipped. Here's how new contributors avoid becoming the next weak link.
Java DTOs for secure data handling
A single @RequestBody bound to a JPA entity can let attackers set fields like isAdmin — DTOs close that gap by design, not by discipline.
Writing your first Jest unit tests for security-critical JavaScript
Jest ships to ~41M weekly npm installs with assertions, mocking, and coverage built in — here's how to structure your first tests around security logic.
A hands-on stack buffer overflow in C++: root cause and mitigations
The Morris Worm hit ~6,000 machines in 1988 via one unsafe gets() call. We build and hijack a stack overflow in C++ to teach why canaries and ASLR exist.