Security Blog
Practical application security guides, vulnerability research, and DevSecOps insights from our security research team.
Roslyn Security Analyzer Rules for .NET: Complete CA Rule Reference
Every Roslyn security analyzer rule for .NET: CA2100, CA3001–CA3012, CA5350–CA5403 with vulnerable code, fixes, and /warnaserror CI/CD enforcement examples.
2nd Order SQL Injection: Detection, Payloads & Fixes
2nd order SQL injection fires in a later query—not on input. Learn how to detect it manually, with SAST taint analysis, and how to fix it in PHP, Python, Java, and C# with parameterized queries.
Fix CORS Wildcard Parsing Off-by-One Bug (Origin Bypass)
Fix the CORS wildcard parsing off-by-one bug: substring checks let evil-yourcompany.com bypass your allowlist. Secure origin validation with exact-match Set in Node.js, Python & Java.
Access-Control-Allow-Headers: * Wildcard — When It's Blocked
Access-Control-Allow-Headers * wildcard: when browsers allow it, when credentials block it, why Authorization is excluded, and correct CORS header configs for APIs.
dotnet ef RunAnalyzersDuringBuild=false — Exact Fix (2026)
dotnet ef migrations failing? Pass -- /p:RunAnalyzersDuringBuild=false after the -- separator. Copy-paste CLI fix with GitHub Actions, Azure DevOps & Docker examples.
CORS: Access-Control-Allow-Credentials with Wildcard Origin Explained
Why Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true can't be combined, what breaks, what the real risks are, and the correct CORS fix for credentialed requests.
2nd Order SQL Injection: How It Works, Detection & Fixes
2nd order SQL injection stores the payload safely then fires it in a later query, bypassing most scanners. Step-by-step examples in PHP, Python, Java & SQL Server with exact fixes.
Unified SAST + DAST Reporting: Single Dashboard for AppSec
Unified SAST & DAST reporting in one dashboard: eliminate duplicate findings, align severity scales, and auto-generate PCI-DSS, SOC 2 & ISO 27001 compliance evidence.
Android Security Testing Tools & Frameworks (2026)
Best Android security testing tools for 2026: MobSF, JADX, Frida, Drozer & SAST for Android Java/Kotlin. Static and dynamic analysis workflows for Android apps.
Best .NET Static Code Analysis Tools 2026 (C# SAST Ranked)
.NET static code analysis tools ranked for 2026: Roslyn analyzers, SonarQube, Checkmarx, Fortify & Offensive360 — compared by taint analysis depth, on-premise support & pricing.
OWASP API Security Top 10: Complete Guide & Code Examples (2026)
OWASP API Security Top 10 explained: BOLA/IDOR, broken auth, mass assignment, rate limiting, CORS misconfigs — each risk with working code fixes in Node, Python & Java.
API Security Checklist: 30 Controls to Test Before You Ship (2026)
A practical API security checklist covering authentication, authorization, rate limiting, input validation, CORS, logging, and OWASP API Top 10 — with pass/fail criteria.
CORS Wildcard Risk: What It Is & How to Fix It (2026)
CORS wildcard (*) on authenticated APIs allows cross-origin data theft. See the exact attack, why reflected-origin is worse, and correct CORS configs for Node.js, Python & Java.
Hardcoded Credentials Vulnerability (CWE-798): Checkmarx Fix & Remediation
Hardcoded credentials (CWE-798) are flagged by Checkmarx, Veracode, and Fortify as critical findings. Learn the exact remediation steps, how SAST scanners detect them, and how to fix hard-coded credentials across Python, Java, C#, and Node.js.
HTML Injection: Attack Examples, Real Impact & Prevention (CWE-80)
HTML injection embeds fake login forms and phishing links into trusted pages — no JavaScript needed. Reflected, stored & DOM variants explained with output encoding fixes.
2nd Order SQL Injection: OWASP Definition, Detection & Fixes
2nd order SQL injection per OWASP WSTG-INPV-05: how deferred payloads evade scanners, how Checkmarx detects it, and parameterized query fixes in Java, Python, PHP & C#.
Command Injection: How It Works, Examples & How to Prevent It
Command injection lets attackers run OS commands on your server through unsanitized input. See how it works, real exploit examples in Python, PHP, and Java, and the correct fix.
File Path Injection: What It Is, How It Works & How to Fix It
File path injection (CWE-22) lets attackers read, overwrite, or delete arbitrary files on your server. Learn how path traversal attacks work and how to prevent them in your code.
What Is Static Code Analysis? How It Works (2026 Guide)
Static code analysis scans source code without running it — finding SQL injection, XSS, and hardcoded secrets. How taint analysis works and what to look for in a SAST tool.
Best Code Quality Analysis Tools 2026 — Ranked & Compared
Best code quality analysis tools for 2026: linters vs SonarQube vs SAST platforms. See what each tool finds, what it misses, and which stack combination catches the most bugs.
How to Prevent Hardcoded Passwords in Source Code (CWE-798)
Hardcoded passwords are scraped from public repos within minutes. Fix CWE-798 with env variables, secrets managers, and pre-commit hooks — code examples for Python, Node & Java.
Node.js vm Module Is Not a Security Mechanism: Sandbox Escapes & Fixes
The vm module is not a security mechanism — here's why: prototype chain escapes, deprecated vm2, and safe alternatives (isolated-vm, subprocess sandboxing) for untrusted Node.js code.
Best Code Vulnerability Scanning Tools 2026 (Ranked)
Code vulnerability scanning tools ranked for 2026: how taint analysis works, what each tool misses, and which SAST scanner finds SQL injection, XSS & secrets reliably.
AI-Powered SAST: The Future of Code Security in 2026
Traditional SAST tools produce 30–70% false positive rates, causing alert fatigue. AI-powered static analysis changes the equation — here's how and what it means for your security program.
SAST Tool Pricing in 2026: The True Cost of Enterprise Code Security
Breaking down the five SAST pricing models used by Checkmarx, Veracode, Fortify, Snyk, and Semgrep — and what enterprise teams actually pay versus the quoted price.
SAST vs DAST: Which Security Testing Do You Actually Need?
A practical comparison of SAST and DAST — what each finds, where they overlap, and why most teams need both. Includes decision framework and comparison table.
What Is DAST? Dynamic Application Security Testing Explained for Dev Teams
DAST tests your running application for vulnerabilities by simulating real attacks. Learn how dynamic testing works, when it beats SAST, and how to set it up.
Access-Control-Allow-Origin: * Fix Guide (CWE-942)
How to fix Access-Control-Allow-Origin: * (CWE-942): replace the CORS wildcard with a validated origin allowlist in Express, Django, Spring Boot, and Nginx — with code examples.
Best Vulnerable Web Applications for Security Testing 2026
Best vulnerable web applications for 2026: DVWA, Juice Shop, WebGoat, bWAPP & NodeGoat with Docker setup commands, coverage map, and SAST/DAST benchmarking guide.
What Is SAST? A Practitioner's Guide to Static Application Security Testing
Static Application Security Testing (SAST) analyzes your source code for security flaws before deployment. Here's how it actually works, when to use it, and what to watch out for.
Application Security Audit Checklist: 100+ Controls (2026)
Application security audit checklist with 100+ controls: SAST, DAST, API security, cryptography, headers & cloud — mapped to OWASP, PCI-DSS & SOC 2. Copy-ready.
DAST vs Penetration Testing: Key Differences (2026)
DAST vs penetration testing explained: automated scanner vs manual tester, cost ($500 DAST scan vs $15K–$50K pentest), what each finds, and when you actually need both.
API Security Best Practices 2026: 11 Controls (OWASP Top 10)
11 API security best practices with code examples: fix BOLA/IDOR, JWT algorithm confusion, mass assignment, rate limiting & CORS misconfigs mapped to the OWASP API Security Top 10.
Top 10 Static Code Analysis Tools 2026 — Ranked
Top 10 static code analysis & code vulnerability scanning tools for 2026: ranked by taint depth, language support and real pricing. Checkmarx, Fortify, SonarQube & Offensive360 compared.
How to Detect Malicious Source Code in Your Codebase
Malicious code inserted via supply chain attacks, insider threats, or compromised dependencies can hide in plain sight. Here's how to detect it systematically.
2nd Order SQL Injection: Attack Steps, Examples & Fixes
2nd order SQL injection stores a payload that fires in a later query—invisible to most scanners. Step-by-step exploit, real code examples, and parameterized query fixes in PHP, Python, Java & C#.
Log4Shell (Log4j) Vulnerability: What It Is and How to Remediate It
Log4Shell (CVE-2021-44228) is one of the most critical vulnerabilities in software history. This guide explains how it works, how to detect if you're affected, and the complete remediation steps.
Rust Vulnerabilities: Most Common Issues You Need to Know
While Rust provides memory safety advantages over C/C++, vulnerabilities still emerge — particularly when developers use unsafe code blocks or rely on libraries with security gaps.
How to Secure Docker Containers — Security Guide
Docker containers offer enhanced isolation, but organizations must implement specific safeguards. This guide covers image scanning, least privilege, network policies, secrets management, and runtime monitoring.
Jenkins Pipeline Security: How to Safely Manage CI/CD Pipelines
Jenkins interacts with multiple servers and components, making security crucial. This guide covers the most common Jenkins vulnerabilities and 13 best practices to secure your CI/CD pipeline.
How to Perform a Secure Code Review — Step-by-Step
Code review is one of the most effective ways to catch security vulnerabilities before they reach production. This guide covers the process, tools, and best practices for meaningful security-focused code review.
OpenSSL Vulnerabilities CVE-2022-3602 and CVE-2022-3786: What You Need to Know
The OpenSSL Project disclosed two high-severity vulnerabilities in October 2022. Initially labeled critical, here's what they actually mean, who is affected, and what to do.
How to Secure Kubernetes Secrets — K8s Security Guide
Kubernetes Secrets are base64 encoded but not encrypted by default. Learn how to properly secure sensitive data in K8s clusters with encryption, RBAC, and secrets management best practices.
Spring4Shell — Critical Remote Code Execution in Spring Framework (CVE-2022-22965)
Spring4Shell is a critical RCE vulnerability (CVSS 9.8) affecting Spring MVC on JDK 9+. Here's what it is, whether you're affected, and how to patch it immediately.
13 Common Java Security Vulnerabilities & How to Fix Them
The most common Java vulnerabilities: SQL injection, XXE, insecure deserialization, SSRF, EL injection, path traversal, and more — each with vulnerable vs. secure Java code examples.
CI/CD Pipeline Security Best Practices — Secure Your DevOps
Your CI/CD pipeline has access to source code, production secrets, and deployment infrastructure. Securing it is as critical as securing the application itself. Here's how.
How to Prevent Cross-Site Scripting (XSS) — Complete Guide
Cross-site scripting is consistently in the OWASP Top 10. This guide covers all three XSS types — reflected, stored, and DOM-based — with prevention strategies and code examples.
Secure your code today
Offensive360 finds vulnerabilities in your source code and running applications — before attackers do.