The SafeStack Blog

Practical AppSec for engineers

Practitioner-written articles on application security, secure code review, threat modeling, and SDLC security. No vendor pitch — just useful knowledge.

Abstract illustration showing a security check arriving too late in the pipeline

AppSec Strategy

Why Shift Left Fails (And What to Do Instead)

The "shift left" mantra has dominated AppSec for a decade. Here's why it's not delivering results for most teams — and a more practical approach.

14 Mar 2026 Read →

Abstract STRIDE threat model diagram with hexagonal nodes

Threat Modeling

Threat Modeling Without Security Expertise

You don't need a CISSP to run a useful threat modeling session. Here's how any engineering team can do it in 90 minutes.

18 Feb 2026 Read →

Abstract code document with security check marks

Code Review

The Secure Code Review Checklist

A practical, technology-agnostic checklist for spotting security vulnerabilities during code review.

22 Jan 2026 Read →

Abstract diagram showing malicious package pulled from public registry

Supply Chain

Dependency Confusion Explained

How attackers exploit the way package managers resolve internal vs external dependencies — and how to protect your build pipeline.

10 Dec 2025 Read →

Abstract illustration of small team with large security shield

Small Teams

AppSec for Small Engineering Teams

A practical guide to building an AppSec practice when you have five engineers and no dedicated security team. What to prioritise first.

4 Nov 2025 Read →

Abstract JWT token structure with vulnerability highlighted

Authentication

JWT Security Mistakes Engineers Keep Making

JWTs are everywhere. These are the five most common security mistakes teams make implementing JWT-based authentication.

29 Sep 2025 Read →

Abstract CI/CD pipeline with security gate checkpoints

SDLC

Security Gates Across the SDLC

How to embed security checks at commit, build, and deploy — without creating friction that causes engineers to work around them.

12 Aug 2025 Read →

Abstract Terraform configuration with security warnings

Infrastructure

IaC Security: Catching Terraform Misconfigurations

Infrastructure-as-code brings new attack surface. The most common Terraform security misconfigurations and how to catch them in CI.

30 Jun 2025 Read →

Abstract REST API endpoint diagram with security probes

API Security

API Security Testing: A Practitioner's Guide

How to test your APIs for security vulnerabilities beyond what automated scanners find. Manual testing approaches that surface real risk.

15 May 2025 Read →

Abstract code file with hardcoded secret credential highlighted

Secrets Management

Secrets in Code: The Risk Nobody Audits

Hardcoded credentials and API keys in source code remain one of the most common and impactful security failures. Here's how to find and eliminate them.

1 Apr 2025 Read →

Abstract OAuth authorization flow with vulnerability in redirect

Authentication

OAuth Authorization Patterns That Go Wrong

OAuth is widely used and frequently misconfigured. The authorization code flow pitfalls that lead to account takeover and token theft.

18 Feb 2025 Read →

Abstract layered defense diagram blocking attack arrows

Input Validation

Input Validation Beyond Sanitization

Sanitisation is necessary but not sufficient. A layered approach to input validation that accounts for encoding, context, and business logic.

7 Jan 2025 Read →

Zero Trust

Zero Trust for Engineering Teams

What zero trust actually means for a software team — beyond the vendor marketing. Practical principles your engineering team can apply today.

20 Nov 2024 Read →

OWASP

What's Changed in the OWASP Top 10 (2025)

The 2025 update brings new entries and re-rankings. What the changes mean for your team's security priorities and where to focus first.

15 Sep 2024 Read →

Put this knowledge into practice

SafeStack integrates security knowledge into the workflow your team already uses.

Start free trial See the training modules