Application Security
YAML Deserialization Attacks: The Config File That Runs Code
YAML's type system allows object instantiation during parsing. In many languages, this means a YAML file can execute arbitrary code.
Feb 18, 20264 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
YAML's type system allows object instantiation during parsing. In many languages, this means a YAML file can execute arbitrary code.
Traditional SCA tools tell you what's in your software. Next-gen SCA tells you what matters. Here's how the category is evolving.
XML's feature richness is its security weakness. XXE, entity expansion, and XSLT injection continue to plague applications that process XML.
Reachability analysis determines whether a vulnerable function is actually called by your application. The technology has matured from research concept to production tool. Here is how it works and where it falls short.
Tauri offers a fundamentally different security model than Electron for desktop applications. Understanding its permission system, IPC boundaries, and supply chain implications is critical.
Securing FastAPI applications with Pydantic validation, OAuth2 integration, and dependency injection patterns.
Harden your Next.js application with secure headers, API route protection, and server component safety practices.
GraphQL's flexible query language introduces injection risks that differ fundamentally from REST APIs. Preventing GraphQL injection requires understanding the query parser, resolver chain, and schema design.
Static Application Security Testing tools vary dramatically in accuracy. We analyze detection rates, false positive rates, and language coverage across leading SAST tools using standardized benchmarks.
Weekly insights on software supply chain security, delivered to your inbox.