Safeguard
Tag

secure-coding

Safeguard articles tagged "secure-coding" — guides, analysis, and best practices for software supply chain and application security.

129 articles

Application Security

Why assert is not a security control in Python

Run Python with -O and every assert statement vanishes from the bytecode — including the ones guarding auth checks and input validation.

Jul 11, 20266 min read
Application Security

Detecting weak cryptographic algorithms in code

SHAttered proved a SHA-1 collision for ~$110,000 in 2017. NIST retires SHA-1 entirely by Dec 31, 2030 — here's how to find and fix MD5/SHA-1 in your code now.

Jul 10, 20267 min read
Application Security

JWT security vulnerabilities and best practices

The jsonwebtoken library shipped three separate signature-bypass CVEs between 2015 and 2022 — algorithm confusion is still the most common way JWTs fail.

Jul 10, 20266 min read
AI Security

Scanning AI-Generated Code Before It Merges: Wiring Scanners into Coding Assistants with MCP

Research found ~40% of Copilot suggestions were vulnerable, and devs using AI assistants trusted their code more. MCP lets you scan before merge.

Jul 9, 20267 min read
Security Guides

Insecure Deserialization in .NET: BinaryFormatter and Beyond

Why insecure deserialization is a remote-code-execution risk in .NET, what changed with BinaryFormatter's removal in .NET 9, and the dangerous JSON.NET settings still in the wild.

Jul 8, 20265 min read
AI Security

The Security Pitfalls Hiding in AI-Generated Code

A 2021 NYU study found roughly 40% of Copilot completions on security-relevant prompts contained exploitable flaws. Here's a field guide to catching them.

Jul 8, 20266 min read
Application Security

Command injection in Python: subprocess, os.system, and safe-by-default patterns

os.system() and subprocess.run(shell=True) both hand a string straight to /bin/sh — one unescaped semicolon is enough to run arbitrary commands.

Jul 8, 20266 min read
Application Security

CTF writeup patterns: serialization and cryptographic puzzles, decoded

CVE-2013-0156 let attackers RCE Rails by feeding YAML into a parameter parser — the same insecure-deserialization pattern CTF players train on every weekend.

Jul 8, 20267 min read
Best Practices

Defensive Java: coding patterns that stop NullPointerExceptions from becoming outages

NPE has been Java's most common runtime exception since JDK 1.0 in 1996 — Optional, JSpecify annotations, and static analysis can turn most of them into compile-time errors.

Jul 8, 20267 min read
Best Practices

Getting AES right in Java: JCA/JCE mistakes that break your encryption

Call `Cipher.getInstance("AES")` in Java and you silently get ECB mode — no warning, no error, just plaintext patterns leaking through.

Jul 8, 20267 min read
Vulnerability Management

The 10 most common code-level vulnerability classes, ranked by real-world data

MITRE's 2025 CWE Top 25 scored 39,080 CVEs — cross-site scripting still ranks #1, but Missing Authorization jumped five spots. Here's how to prevent each class.

Jul 8, 20268 min read
Application Security

Preventing open redirect vulnerabilities in Laravel

Laravel's own ->away() helper is documented as a bypass of its URL safety checks — feed it user input and you've built an open redirect, CWE-601, into the framework's happy path.

Jul 8, 20266 min read
secure-coding (Page 2) — Safeguard Blog