Security Blog
Practical application security guides, vulnerability research, and DevSecOps insights from our security research team.
Roslyn Security Analyzer Rules for .NET: Complete CA Rule Reference
Every Roslyn security analyzer rule for .NET: CA2100, CA3001–CA3012, CA5350–CA5403 with vulnerable code, fixes, and /warnaserror CI/CD enforcement examples.
2nd Order SQL Injection: Detection, Payloads & Fixes
2nd order SQL injection fires in a later query—not on input. Learn how to detect it manually, with SAST taint analysis, and how to fix it in PHP, Python, Java, and C# with parameterized queries.
Fix CORS Wildcard Parsing Off-by-One: Bypass Demo & Secure Fix
Fix CORS wildcard parsing off-by-one bugs in gin-contrib/cors, Node.js, Python & Java. Shows the exact bypass, why substring checks fail, and the secure allowlist pattern.
Access-Control-Allow-Headers: * Wildcard — When It's Blocked
Access-Control-Allow-Headers * wildcard: when browsers allow it, when credentials block it, why Authorization is excluded, and correct CORS header configs for APIs.
dotnet ef + RunAnalyzersDuringBuild=false: Fix Analyzer Conflicts
dotnet ef migrations failing? Pass -- /p:RunAnalyzersDuringBuild=false to skip Roslyn analyzers only for EF builds. CLI, GitHub Actions, Azure DevOps & Docker examples.
CORS: Access-Control-Allow-Credentials with Wildcard Origin Explained
Why Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true can't be combined, what breaks, what the real risks are, and the correct CORS fix for credentialed requests.
2nd Order SQL Injection: How It Works, Detection & Fixes
2nd order SQL injection stores the payload safely then fires it in a later query, bypassing most scanners. Step-by-step examples in PHP, Python, Java & SQL Server with exact fixes.
Unified SAST + DAST Reporting: Single Dashboard for AppSec
Unified SAST & DAST reporting in one dashboard: eliminate duplicate findings, align severity scales, and auto-generate PCI-DSS, SOC 2 & ISO 27001 compliance evidence.
Android Security Testing Tools & Frameworks (2026)
Best Android security testing tools for 2026: MobSF, JADX, Frida, Drozer & SAST for Android Java/Kotlin. Static and dynamic analysis workflows for Android apps.
.NET Static Code Analysis Tools 2026: Best C# SAST Tools Ranked
.NET static code analysis tools ranked for 2026: Roslyn analyzers, SonarQube, Checkmarx, Fortify & Offensive360 compared by taint depth, C# coverage, on-premise support & pricing.
OWASP API Security Top 10: Complete Guide & Code Examples (2026)
OWASP API Security Top 10 explained: BOLA/IDOR, broken auth, mass assignment, rate limiting, CORS misconfigs — each risk with working code fixes in Node, Python & Java.
API Security Checklist: 30 Controls to Test Before You Ship (2026)
A practical API security checklist covering authentication, authorization, rate limiting, input validation, CORS, logging, and OWASP API Top 10 — with pass/fail criteria.
CORS Wildcard Risk: What It Allows, When It's Dangerous & How to Fix It
CORS wildcard (Access-Control-Allow-Origin: *) on authenticated APIs exposes user data. See the exact attack, why reflected-origin is worse, and correct CORS configs for Node.js, Python & Java.
Hardcoded Credentials Vulnerability (CWE-798): Checkmarx Fix & Remediation
Hardcoded credentials (CWE-798) are flagged by Checkmarx, Veracode, and Fortify as critical findings. Learn the exact remediation steps, how SAST scanners detect them, and how to fix hard-coded credentials across Python, Java, C#, and Node.js.
HTML Injection: Attack Examples, Real Impact & Prevention (CWE-80)
HTML injection embeds fake login forms and phishing links into trusted pages — no JavaScript needed. Reflected, stored & DOM variants explained with output encoding fixes.
2nd Order SQL Injection: OWASP Definition, Detection & Fixes
2nd order SQL injection per OWASP WSTG-INPV-05: how deferred payloads evade scanners, how Checkmarx detects it, and parameterized query fixes in Java, Python, PHP & C#.
Command Injection: How It Works, Examples & How to Prevent It
Command injection lets attackers run OS commands on your server through unsanitized input. See how it works, real exploit examples in Python, PHP, and Java, and the correct fix.
File Path Injection: What It Is, How It Works & How to Fix It
File path injection (CWE-22) lets attackers read, overwrite, or delete arbitrary files on your server. Learn how path traversal attacks work and how to prevent them in your code.
What Is Static Code Analysis? How It Works (2026 Guide)
Static code analysis scans source code without running it — finding SQL injection, XSS, and hardcoded secrets. How taint analysis works and what to look for in a SAST tool.
Code Quality Analysis Tools 2026: Linters, SonarQube & SAST Ranked
Code quality analysis tools compared: linters, SonarQube, and SAST platforms ranked for 2026. Find out what each finds, what it misses, and the right combination for your stack.
How to Prevent Hardcoded Passwords in Source Code (CWE-798)
Hardcoded passwords are scraped from public repos within minutes. Fix CWE-798 with env variables, secrets managers, and pre-commit hooks — code examples for Python, Node & Java.
Node.js vm Module Is Not a Security Mechanism: Sandbox Escapes & Fixes
The vm module is not a security mechanism — here's why: prototype chain escapes, deprecated vm2, and safe alternatives (isolated-vm, subprocess sandboxing) for untrusted Node.js code.
Code Vulnerability Scanning Tools 2026: How They Work & What They Find
Code vulnerability scanning tools explained: taint analysis vs pattern matching, what each tool misses, and how to pick a scanner that reliably finds SQLi, XSS & hardcoded secrets.
AI-Powered SAST: The Future of Code Security in 2026
Traditional SAST tools produce 30–70% false positive rates, causing alert fatigue. AI-powered static analysis changes the equation — here's how and what it means for your security program.
SAST Tool Pricing in 2026: The True Cost of Enterprise Code Security
Breaking down the five SAST pricing models used by Checkmarx, Veracode, Fortify, Snyk, and Semgrep — and what enterprise teams actually pay versus the quoted price.
SAST vs DAST: Which Security Testing Do You Actually Need?
A practical comparison of SAST and DAST — what each finds, where they overlap, and why most teams need both. Includes decision framework and comparison table.
What Is DAST? Dynamic Application Security Testing Explained for Dev Teams
DAST tests your running application for vulnerabilities by simulating real attacks. Learn how dynamic testing works, when it beats SAST, and how to set it up.
Access-Control-Allow-Origin: * Fix Guide (CWE-942)
How to fix Access-Control-Allow-Origin: * (CWE-942): replace the CORS wildcard with a validated origin allowlist in Express, Django, Spring Boot, and Nginx — with code examples.
Best Vulnerable Web Application List for Security Testing (2026)
Best vulnerable web applications for security testing: DVWA, OWASP Juice Shop, WebGoat, bWAPP & NodeGoat ranked with Docker setup, vulnerability coverage, and SAST/DAST benchmarking tips.
What Is SAST? A Practitioner's Guide to Static Application Security Testing
Static Application Security Testing (SAST) analyzes your source code for security flaws before deployment. Here's how it actually works, when to use it, and what to watch out for.
Application Security Audit Checklist: 100+ Controls (2026)
Application security audit checklist with 100+ controls: SAST, DAST, API security, cryptography, headers & cloud — mapped to OWASP, PCI-DSS & SOC 2. Copy-ready.
DAST vs Penetration Testing: What Each Finds & When to Use Both
DAST vs penetration testing: key differences, what each finds, cost comparison, and when you need both. Covers injection, business logic, compliance, and CI/CD integration.
API Security Best Practices 2026: 11 Controls (OWASP Top 10)
11 API security best practices with code examples: fix BOLA/IDOR, JWT algorithm confusion, mass assignment, rate limiting & CORS misconfigs mapped to the OWASP API Security Top 10.
Top 10 Static Code Analysis Tools 2026: Ranked by Taint Depth
Top 10 static code analysis tools for 2026: Offensive360, Checkmarx, Fortify, SonarQube & Semgrep ranked by taint depth, language coverage, on-premise support & real pricing.
How to Detect Malicious Source Code in Your Codebase
Malicious code inserted via supply chain attacks, insider threats, or compromised dependencies can hide in plain sight. Here's how to detect it systematically.
2nd Order SQL Injection: Attack Steps, Examples & Fixes
2nd order SQL injection stores a payload that fires in a later query—invisible to most scanners. Step-by-step exploit, real code examples, and parameterized query fixes in PHP, Python, Java & C#.
Log4Shell (Log4j) Vulnerability: What It Is and How to Remediate It
Log4Shell (CVE-2021-44228) is one of the most critical vulnerabilities in software history. This guide explains how it works, how to detect if you're affected, and the complete remediation steps.
Rust Vulnerabilities: Most Common Issues You Need to Know
While Rust provides memory safety advantages over C/C++, vulnerabilities still emerge — particularly when developers use unsafe code blocks or rely on libraries with security gaps.
How to Secure Docker Containers — Security Guide
Docker containers offer enhanced isolation, but organizations must implement specific safeguards. This guide covers image scanning, least privilege, network policies, secrets management, and runtime monitoring.
Jenkins Pipeline Security: How to Safely Manage CI/CD Pipelines
Jenkins interacts with multiple servers and components, making security crucial. This guide covers the most common Jenkins vulnerabilities and 13 best practices to secure your CI/CD pipeline.
How to Perform a Secure Code Review — Step-by-Step
Code review is one of the most effective ways to catch security vulnerabilities before they reach production. This guide covers the process, tools, and best practices for meaningful security-focused code review.
OpenSSL Vulnerabilities CVE-2022-3602 and CVE-2022-3786: What You Need to Know
The OpenSSL Project disclosed two high-severity vulnerabilities in October 2022. Initially labeled critical, here's what they actually mean, who is affected, and what to do.
How to Secure Kubernetes Secrets — K8s Security Guide
Kubernetes Secrets are base64 encoded but not encrypted by default. Learn how to properly secure sensitive data in K8s clusters with encryption, RBAC, and secrets management best practices.
Spring4Shell — Critical Remote Code Execution in Spring Framework (CVE-2022-22965)
Spring4Shell is a critical RCE vulnerability (CVSS 9.8) affecting Spring MVC on JDK 9+. Here's what it is, whether you're affected, and how to patch it immediately.
13 Common Java Security Vulnerabilities & How to Fix Them
The most common Java vulnerabilities: SQL injection, XXE, insecure deserialization, SSRF, EL injection, path traversal, and more — each with vulnerable vs. secure Java code examples.
CI/CD Pipeline Security Best Practices — Secure Your DevOps
Your CI/CD pipeline has access to source code, production secrets, and deployment infrastructure. Securing it is as critical as securing the application itself. Here's how.
How to Prevent Cross-Site Scripting (XSS) — Complete Guide
Cross-site scripting is consistently in the OWASP Top 10. This guide covers all three XSS types — reflected, stored, and DOM-based — with prevention strategies and code examples.
Secure your code today
Offensive360 finds vulnerabilities in your source code and running applications — before attackers do.