secure-coding
Safeguard articles tagged "secure-coding" — guides, analysis, and best practices for software supply chain and application security.
129 articles
Parameterized queries across languages: the real defense against SQL injection
SQL injection (CWE-89) still ranks #3 on the OWASP Top 10, but every major language has shipped a native, built-in fix for over a decade — most breaches happen anyway.
Unsafe Deserialization in Swift: NSCoding, Codable, and Safer Patterns
Two 2019 iOS zero-click bugs, CVE-2019-8646 and CVE-2019-8647, both traced back to NSKeyedUnarchiver — a reminder that Swift's Objective-C legacy still hides deserialization risk.
Preventing CSRF and XSS in ASP.NET Core
How CSRF and XSS actually work against ASP.NET Core apps, and the concrete defenses, antiforgery tokens, Razor output encoding, CSP, and SameSite cookies, that shut them down.
The gosec Static Analysis Guide: Rules, CI, and Taming False Positives
gosec catches hardcoded secrets, weak crypto, unsafe SQL, and command injection in Go — but only if you run it well and triage it honestly. A practical guide to the rules that matter and the noise that doesn't.
Secrets Management for Python Applications
Hard-coded API keys and .env files committed to git are still the fastest route into a Python app. Here is how to keep secrets out of your code and your history.
C# Cryptography Best Practices in .NET
The right way to do cryptography in C#: authenticated encryption with AesGcm, secure randomness, PBKDF2 password hashing, constant-time comparison, and the legacy APIs to stop using.
Essential Security Skills Every Developer Should Learn
Security is no longer a separate team's job. Here are the essential security skills every developer should build in 2026—why they matter to your career, how to learn them for free, and how to prove you have them.
Java SQL Injection Prevention: Parameterized Queries and Beyond
SQL injection is decades old and still breaching Java apps. Here's how to prevent it with prepared statements, JPA binding, and safe dynamic queries.
Secure Coding for Beginners: Writing Code That Resists Attack
Secure coding is not a separate discipline you bolt on later. It is a set of small habits you weave into the way you already write software. Here is a friendly introduction with a first exercise to try today.
Preventing Command Injection in Python
Every time Python code shells out with user input, an attacker gets a vote on what the shell runs. The fix is almost always to stop using the shell at all.
Preventing SQL Injection in .NET with Entity Framework Core
How SQL injection still happens in Entity Framework Core apps, which EF Core APIs are safe by default, which ones aren't, and the exact patterns that keep raw SQL parameterized.
SQL Injection in Go: Why database/sql Is Safe Until You Reach for Sprintf
database/sql gives Go parameterized queries for free — yet SQL injection still ships in Go services through dynamic query building, ORM escape hatches, and misused identifiers. Here's the line you can't cross.