Safeguard
Tag

secure-coding

Safeguard articles tagged "secure-coding" — guides, analysis, and best practices for software supply chain and application security.

125 articles

DevSecOps

Building AppSec Training Programs That Actually Change Behavior

OWASP's 2021 Top 10 added Insecure Design as its largest category by CWE count, yet most developer training still teaches syntax, not decisions.

Jul 15, 20266 min read
Application Security

Implementing TLS in Java applications: keystores, trust managers, and protocol pinning done right

One overridden checkServerTrusted() method disables certificate validation for an entire Java app — and it still ships to production more often than most teams admit.

Jul 15, 20267 min read
Application Security

The OWASP Top 10:2025, explained with minimal fix-it code

OWASP reordered its Top 10 for 2025 — Broken Access Control is back at #1 and a new Mishandling of Exceptional Conditions category debuts at #10.

Jul 15, 20269 min read
Application Security

Path traversal, decoded: canonicalization patterns across languages

CVE-2021-41773 turned a broken path-normalization routine in Apache 2.4.49 into remote code execution. Here's how canonicalization stops the whole bug class.

Jul 15, 20266 min read
Best Practices

Secure Coding Fundamentals: A No-Jargon Checklist for New Developers

Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.

Jul 15, 20267 min read
Application Security

Preventing mass assignment in Spring MVC and Spring Boot

CWE-915 mass assignment lets one extra JSON field turn a profile update into a privilege escalation — here's how DTOs beat @JsonIgnore in Spring.

Jul 14, 20266 min read
DevSecOps

Why developers ignore security tools, and how to fix it

Verizon's 2025 DBIR found only 54% of edge-device vulnerabilities get fully remediated within a year. The gap isn't awareness — it's friction and delay.

Jul 13, 20266 min read
Application Security

How catastrophic regex backtracking causes ReDoS — and how to stop it

A single bad regex took Cloudflare's global network to ~100% CPU for 27 minutes in 2019. Here's the backtracking mechanics behind ReDoS and how to rewrite unsafe patterns.

Jul 13, 20266 min read
Open Source Security

Contributing to open source securely: a guide for new maintainers and PR authors

It took roughly two years of trusted commits before the xz-utils backdoor shipped. Here's how new contributors avoid becoming the next weak link.

Jul 12, 20267 min read
Application Security

Java DTOs for secure data handling

A single @RequestBody bound to a JPA entity can let attackers set fields like isAdmin — DTOs close that gap by design, not by discipline.

Jul 12, 20266 min read
Best Practices

Writing your first Jest unit tests for security-critical JavaScript

Jest ships to ~41M weekly npm installs with assertions, mocking, and coverage built in — here's how to structure your first tests around security logic.

Jul 12, 20267 min read
Application Security

A hands-on stack buffer overflow in C++: root cause and mitigations

The Morris Worm hit ~6,000 machines in 1988 via one unsafe gets() call. We build and hijack a stack overflow in C++ to teach why canaries and ASLR exist.

Jul 11, 20267 min read
secure-coding — Safeguard Blog