secure-coding
Safeguard articles tagged "secure-coding" — guides, analysis, and best practices for software supply chain and application security.
129 articles
What Are Parameterized Queries
Parameterized queries stop SQL injection by binding user input as data instead of parsing it as SQL — here's how they work, and where they still fail.
SQL injection: a complete developer's guide
A developer's guide to SQL injection: how it works, why CWE-89 still ranks in MITRE's Top 25, real breaches, and how to detect and fix it.
OS command injection explained
OS command injection lets attackers run arbitrary shell commands via unsanitized input. See how it works, real CVEs like PAN-OS 2024, and fixes.
Cross-site request forgery (CSRF) explained
CSRF forges authenticated requests using a victim's own session cookies. Learn how real attacks against Netflix and uTorrent worked, and how to stop them.
Integer overflow vulnerabilities explained
What integer overflow vulnerabilities are, how CWE-190 causes real breaches like Bitcoin's 2010 overflow bug, and how to detect and prevent them.
Insecure randomness vulnerabilities explained
CWE-338 explained through the Debian OpenSSL and Android Bitcoin SecureRandom breaches — how weak PRNGs get exploited, and how to detect and fix them.
Certificate validation bypass and man-in-the-middle risk explained
Certificate validation bypass flaws silently disable TLS's identity guarantees, opening the door to man-in-the-middle attacks. Here's how they happen and how to catch them.
Mass assignment vulnerabilities explained
Mass assignment lets attackers write privileged fields like "role":"admin" via ordinary API calls. Learn how it works, real CVEs, and fixes.
Improper input validation (CWE-20) explained
CWE-20 explained: how improper input validation causes SQLi, RCE, and DoS, with real CVEs like Equifax's Struts breach and how to detect and fix it.
Null Pointer Dereference Vulnerabilities
A single unchecked pointer can crash a server. Here's what null pointer dereference vulnerabilities are, real CVEs like OpenSSL's, and how to catch them.
Uncaught Exception Security Risks
An uncaught exception isn't just a crash: it caused the Equifax breach and Log4j outages. See how exception-handling bugs become real security incidents.
Code Injection via eval() and exec() Across Languages
eval() and exec() turn dynamic code execution into remote code execution. A cross-language look at how it happens in Python, JS, PHP, and Ruby.