Insights on Application
Security & Secure Coding
Practical advice, vulnerability research, and industry perspectives from the SecureCodingHub team.
Prompt Injection: A Developer's Guide to Testing & Prevention
A single sentence in a customer support ticket can convince your AI agent to email its system prompt to a stranger. Pillar developer guide to prompt injection — direct vs. indirect injection, the 10 attack categories every AI agent faces (system prompt leak, role override, indirect injection, tool abuse, multi-turn, encoding, context manipulation, persona attacks, structured output hijack, length attacks), the 12 static defenses you can audit today, live red-team methodology, defense-in-depth across prompt + system + output layers, runbook for active injections, and the senior-developer mistakes that show up in incident write-ups. Ships with a free in-browser tester (no logging, no signup, 12 rules + 50 attacks).
Cybersecurity Risk Assessment: A Developer's Guide 2026
A cybersecurity risk assessment written from the engineering point of view rather than the GRC desk. Five-step process (asset inventory, threat ID, vulnerability ID, impact analysis, risk scoring), the four major frameworks compared (NIST RMF SP 800-30/37/39, ISO 27005, OCTAVE Allegro, FAIR), qualitative vs quantitative scoring with the 5x5 likelihood-impact matrix, why CVSS base scores are not risk scores (the contextual transformation with EPSS), the four canonical treatment options with engineering examples, residual risk as first-class register entries, continuous risk assessment fed by SAST/DAST/SCA in CI/CD, and the four-point risk-to-backlog loop that turns the register from audit artifact into operational tool.
What Is a CWE? Common Weakness Enumeration Explained
Every SAST report, NVD entry, and bug bounty triage thread tags findings with cwes — but most developers treat the IDs as background noise. Developer-oriented guide to the MITRE Common Weakness Enumeration: the cwe vs cve distinction (bug class vs bug instance with a real CVE→CWE mapping example), the full structure of a CWE entry walked through CWE-89 SQL Injection, the CWE Top 25 methodology, how CWE maps to the OWASP Top 10 categories, where CWE IDs surface in real SAST/NVD/bug-bounty workflows, how to read a CWE entry as a working developer, what "CWE-compatible" tooling claims actually mean, and the misconceptions that produce wasted triage effort.
Cross-Site Scripting (XSS): A Developer's Complete Guide
Cross-site scripting is the same single pattern under every variant: untrusted data concatenated into HTML or JavaScript that a browser parses and executes in the application origin. Pillar guide covering reflected, stored, and DOM-based XSS with real attack examples (Samy worm 2005, Twitter retweet worm 2010, eBay listing XSS 2014, British Airways Magecart 2018), mutation/blind/self-XSS exotic variants, the OWASP A03 absorption history, and the defense-in-depth stack: context-aware output encoding, framework safe-by-default rendering, DOMPurify for rich text, Content Security Policy with strict-dynamic, Trusted Types, HttpOnly cookies, plus SAST/DAST/IAST detection coverage.
Reflected XSS: Attack Anatomy and Prevention Guide
Reflected cross-site scripting is the non-persistent XSS variant where a payload travels in a single URL parameter, is reflected unescaped into the response, and executes against any victim who follows the crafted link. Developer deep-dive on the four-step attack flow, the production sinks (search results, error messages, redirect URLs, JSONP, form re-renders), four-language vulnerable→fixed pairs (PHP htmlspecialchars, EJS auto-escape vs raw tags, Django |safe abuse, ASP.NET Razor Html.Raw), the comparison with stored and DOM-based XSS, and the context-aware output encoding playbook that eliminates the class.
Stored XSS: Persistence, Damage, and Prevention
Stored (persistent) cross site scripting writes once and hits every viewer — no per-victim phishing, no crafted URL, just the application delivering the payload to whoever loads the page. Developer deep-dive on the storage surfaces where stored XSS lives (comments, profile fields, log viewers, file metadata, support tickets), the stored vs reflected XSS comparison, the worm history (MySpace Samy 2005, Twitter onMouseOver 2010, eBay listing XSS 2014), four vulnerable→fixed code pairs across Node/PHP/React/Python, and the rendering-time encoding playbook with DOMPurify, Bleach, HTML Purifier, and CSP as the runtime safety net.
XSS vs CSRF: Differences and Why You Need Both Defenses
Cross site request forgery vs cross site scripting: the side-by-side comparison developers ask for most often. XSS injects code that runs in the victim browser inside the application origin; CSRF rides the victim authenticated session from a different origin to fire a state-changing request. Developer guide to the 30-second difference, the attack flow for each, the dangerous combination where XSS reads CSRF tokens from the DOM and bypasses the defense entirely, a row-by-row comparison table (vector, payload, prerequisite, defense, severity), the SameSite cookie levels (Lax vs Strict vs None), synchronizer tokens and double-submit cookies, plus the adjacent xss vs sql injection comparison and why secure architectures defend against all three.
DOM-Based XSS: Sources, Sinks, and JavaScript Defenses
DOM-based cross-site scripting is the variant the server never sees — the payload lives entirely in the browser, read by JavaScript from a source like location.hash or postMessage and written into a sink like innerHTML or eval. Developer deep-dive on the DOM-XSS source/sink taxonomy (location.hash, document.referrer, postMessage, window.name, storage; innerHTML, document.write, eval, setTimeout-string, javascript: URLs), the data-flow mental model with no server roundtrip, framework escape hatches (React dangerouslySetInnerHTML, Vue v-html, Angular bypassSecurityTrust, Svelte @html), SPA hash-routing vectors, real DOM XSS examples (WordPress plugins, tag managers, postMessage handlers), and the Trusted Types architectural fix with DOMPurify and safe URL parsers.
XSS Prevention: A Defense-in-Depth Playbook
XSS prevention is layered by necessity — every individual defense (output encoding, input validation, CSP, framework escaping, sanitization, Trusted Types) has documented bypasses, and the teams that ship XSS-resistant applications stack mechanisms so a bypass of one is caught by the next. Eight-layer playbook covering context-aware output encoding (OWASP cheat sheet rules), allowlist input validation, CSP with nonces and strict-dynamic, HttpOnly+Secure+SameSite cookies, the Trusted Types API, framework defaults and escape hatches (dangerouslySetInnerHTML, v-html, bypassSecurityTrust), DOMPurify and OWASP Java Encoder configuration, Subresource Integrity for third-party scripts, plus the anti-patterns (blacklists, regex sanitization, input-time encoding, WAF complacency) and the per-feature checklist for code review.
What Is Secure Code? Definition, Examples, and Practices for Developers
Secure code is code that maintains its security guarantees under all attacker-influenced inputs and runtime conditions — not code without bugs, but code that fails safely when assumptions break. Definitional pillar covering the secure-code-vs-insecure-code boundary at the data-flow level, three concrete vulnerable→fixed pairs (Python SQL injection, JavaScript innerHTML XSS, Node path traversal), the five disciplines of safe coding (input validation, output encoding, safe defaults, explicit invariants, dependency hygiene), secure code management from repo to production, the four most common misconceptions about what secure code actually means, the layered toolchain (SAST/DAST/SCA/secret scanning) that catches what review misses, and why the same vulnerability classes recur despite decades of investment in tooling.
API Authentication & Authorization: A Developer Guide
API auth fails in five distinct ways across five mechanisms — API keys leaking into git, mTLS rotation collapsing, OAuth flows skipping PKCE, JWTs accepted with disabled signatures, session cookies pinned to wrong domains. Developer deep-dive on the OAuth 2.1 vs OIDC distinction, the JWT-vs-opaque-token architectural choice, mTLS for internal traffic, OAuth 2.1 PKCE everywhere, BOLA (broken object level authorization) prevention with verifyOwnership patterns, mass assignment vulnerability fixes, and centralized authorization with OPA/Cedar policy engines.
OWASP API Security Top 10 (2023): Developer Guide
The OWASP API Security Top 10 (2023) describes the bugs production teams ship — BOLA, BFLA, BOPLA, unrestricted resource consumption, broken authentication, security misconfiguration. Developer deep-dive on each API1-API10 category with real incidents (Optus 2022 BOLA, Peloton 2021, T-Mobile 2023, Twitter 2022 token leak, Capital One 2019 SSRF→IAM), code-level fixes for broken access control patterns at the API layer, and the cross-cutting playbook: API inventory, schema validation, central authorization, rate limiting, observability.
Container Security: A Developer Guide from Build to Runtime
Container security is five distinct surfaces — build, registry, admission, runtime, and observation — and most programs invest in one and call it done. Developer deep-dive on Dockerfile best practices that actually matter (USER, multi-stage, digest pinning), image scanning (Trivy, Grype, Snyk Container, Docker Scout), the distroless movement (Google distroless, Chainguard, Wolfi), Sigstore + Cosign for image signing, Kubernetes admission control (Pod Security Standards, OPA Gatekeeper, Kyverno), runtime threat detection with Falco and Tetragon eBPF, and default-deny network policies as the lateral-movement gate.
Secret Scanning: A Developer Guide to Detection 2026
Every repo has leaked credentials in its history — the question is whether a bot finds them before you do. Developer deep-dive on the four-stage leak lifecycle (commit, push, exposure, harvest within seconds), detection strategies (regex, entropy, ML), the tool landscape (Gitleaks, TruffleHog, GitHub Secret Scanning, GitGuardian, detect-secrets, ggshield), pre-commit vs server-side vs continuous scanning, the rotation-before-history-rewrite incident response, false-positive discipline, and architectural prevention via secret managers (Vault, AWS Secrets Manager, Doppler) and OIDC federation. Uber 2022, Toyota 2023, Mercedes-Benz 2024.
SSRF (OWASP A10): Examples, Detection & Fixes 2026
Server-Side Request Forgery turned every URL fetcher in your application into a pivot point — webhooks, image processors, OAuth callbacks, link previewers, RSS readers. Developer deep-dive on the cloud metadata crown jewel (AWS IMDSv1 vs IMDSv2 hop-limit defenses, the Capital One 2019 lesson), internal network reconnaissance, the SSRF-to-RCE chain via Redis SLAVEOF and gopher://, the bypass library (DNS rebinding, decimal/octal IPs, IPv6 representations, redirects), blind SSRF detection, and the defense-in-depth stack where network segmentation matters more than application code.
Software & Data Integrity Failures (OWASP A08) Guide
A08 merged Insecure Deserialization with the new supply chain integrity category. Developer deep-dive on the three faces of A08 — deserialization (Java ObjectInputStream, Python pickle, ysoserial gadget chains), supply chain compromise (SolarWinds, CodeCov, Kaseya, 3CX, xz-utils 2024), and CI/CD pipeline tampering — with the integrity toolchain to fix them: SLSA framework levels, in-toto attestations, Sigstore + Cosign keyless signing via OIDC, signed SBOM, and the "trust, made verifiable" architecture pattern.
Logging & Monitoring Failures (OWASP A09): Dev Guide
A09 is the category where breaches stop being a code problem and start being a detection problem. Developer deep-dive on the three detection gaps every team has, what to log (and what never to log — passwords, tokens, full PAN), structured JSON discipline, retention tiers (PCI 12 months, HIPAA 6 years), turning logs into alerts (MITRE ATT&CK mapping, false-positive budgets, runbooks), and the MTTD/MTTR reality where industry medians sit at 200+ days. Equifax, Target, and Capital One as case studies.
Insecure Design (OWASP A04): Examples & Fixes 2026
A04 was added to OWASP 2021 because most "code-secure but design-broken" findings had nowhere else to live. Developer deep-dive on the bright line between insecure design and insecure implementation, business logic flaws (rate-limit bypass, money-transfer races, coupon stacking, account-recovery abuse), threat modeling as the cure, secure design patterns (deny-by-default, defense in depth, fail-securely), the anti-patterns developers reach for, and the reference architectures (ASVS, NIST 800-160, MS SDL, SLSA) worth borrowing from.
Software Composition Analysis: A Developer Guide to SCA
Modern applications are 80%+ open-source code, and that code is the security perimeter most teams underinvest in. Software Composition Analysis covers transitive dependencies, lockfiles, CVE scanning vs reachability analysis, SBOM generation under EO 14028 and EU CRA, dependency confusion and typosquatting, and an honest tool comparison across Dependabot, Snyk, Mend, Socket, OSV-Scanner, Trivy, Grype, and Syft. Pipeline integration, license compliance, and the SCA traps that produce alert fatigue without reducing risk.
Cryptographic Failures (OWASP A02): Examples & Fixes
Cryptographic Failures (A02) covers every place data confidentiality and integrity rely on the wrong primitive, the wrong configuration, or a key-management failure that makes the encryption irrelevant. Developer deep-dive on weak algorithms (MD5, SHA-1, DES, ECB), AEAD vs CBC and IV reuse, password hashing with Argon2id and bcrypt, TLS misconfiguration, and the key-management discipline — KMS, envelope encryption, rotation — that separates encryption that protects data from encryption that just looks like it does.
Injection (OWASP A03): Examples, Detection & Fixes in 2026
Injection is the same single pattern under every variant: untrusted data interpreted as code, query, or command by a downstream interpreter. Developer deep-dive on SQL injection (UNION, error-based, blind, ORM raw-query escape hatches, second-order), NoSQL operator injection, command injection and shell=True patterns, server-side template injection (SSTI) in Jinja2/Handlebars, plus the long tail of LDAP/XPath/ORM lazy-loading/GraphQL. The mitigation playbook is parameterized queries, prepared statements, ORM safe-method allowlists, and context-aware output encoding — implemented from the data-flow up.
Authentication Failure (OWASP A07): Examples & Fixes
Every authentication failure under OWASP A07 (formerly Broken Authentication) gates every other control: a broken authentication system invalidates the access control, session, and authorization layers stacked on top. Developer guide covering bcrypt/argon2id password storage, breach-corpus credential checks, MFA factor selection (TOTP/FIDO2/passkeys), session management (rotation, invalidation, cookie attributes), JWT pitfalls (alg:none, algorithm confusion, sensitive claims), OAuth/OIDC bugs (open redirector + state, PKCE, refresh token theft), and passwordless implementation realities — with the mitigation playbook that ties them together.
PCI DSS Compliance Training Programs: A Buyer's Guide
Choosing a PCI DSS compliance training vendor is now a 6.2.2 evaluation problem, not a procurement checkbox. The 2026 assessment cycle is the first where assessors look for capability evidence — language-specific content, job-function tailoring, retention measurement, attack-class coverage matching 6.2.4 — rather than completion certificates. This buyer guide reframes the criteria, walks the eight capabilities a qualifying program must provide, contrasts off-the-shelf compliance video with hands-on code-based training, and lays out a 4-week pilot evaluation process with QSA pre-validation.
What PCI DSS Non-Compliance Actually Costs in 2026
PCI non-compliance is not one number — it is a layered cost. Acquiring banks invoice $5,000-$100,000 per month while violations run; card brand assessments add another tier of penalties post-breach; the required PCI Forensic Investigator engagement runs $40K-$200K typical. The real killer is per-card breach liability: Visa and Mastercard charge per compromised record and aggregate liability can reach $100-$500 per card across millions. Full breakdown with the indirect costs most estimates skip, the most common path to non-compliance, and why a 6.2.2-aligned secure coding training program is a fraction of the lower bound.
DevSecOps Engineering: A 2026 Role Guide for Engineers Building the Function
DevSecOps engineering is the discipline of integrating security into the software delivery pipeline so testing, policy enforcement, and remediation happen continuously alongside the build/test/deploy flow rather than as a separate gating activity. Full role guide covering responsibilities, technical and soft skills, the toolchain a DevSecOps engineer owns, how the function fits into engineering org models (embedded, centralized, federated), career pipelines into the role, and the anti-patterns that wreck programs.
What Is a Bug Bounty Program? A Developer's Guide for 2026
Bug bounty programs pay external security researchers for verified, in-scope vulnerabilities. Developer guide to how programs actually work end-to-end: scope and severity rubrics, the major platforms (HackerOne, Bugcrowd, Intigriti, YesWeHack, Synack), how bounty differs from pentest and VDP, what makes programs succeed or fail, and what to do when a triage-validated finding lands in your engineering queue.
IAST vs DAST vs SAST: A Developer's Comparison of Application Security Testing in 2026
SAST sees everything in the code and understands nothing about runtime. DAST sees nothing in the code and understands real runtime behavior. IAST tries to combine both at the cost of needing an agent and meaningful test coverage. Full developer guide comparing the three application security testing pillars: how each works, what each catches and misses, the 2026 tooling landscape, CI/CD integration patterns, and the starter combination for teams building out an AppSec program.
Broken Access Control (OWASP A01): Examples, Patterns, and Fixes in 2026
Broken access control is ranked A01 on the OWASP Top 10 — the top risk for four years running. Developer guide covering IDOR, vertical and horizontal privilege escalation, function-level access control failures, JWT pitfalls (alg:none, algorithm confusion), the two-user testing methodology that catches them in CI, and the architectural mitigation playbook that turns A01 from a recurring pentest finding into a property of the authorization model.
Security Misconfiguration (OWASP A05): Examples, Detection, and Fixes in 2026
More production breaches trace back to security misconfiguration than to any single code-level vulnerability. Full developer guide to OWASP A05: the six categories where misconfiguration actually lives, cloud-era permutations (IAM, container, serverless), CI/CD detection patterns, and the engineering playbook that turns misconfiguration from a recurring incident category into a property of the pipeline.
Capture the Flag (CTF) for Developers: How to Start in 2026
CTF is the shortest path between reading about a vulnerability class and recognizing it in unfamiliar code. Full starter guide: Jeopardy vs attack-defense, the seven categories that matter, beginner platforms (picoCTF, TryHackMe, HackTheBox), how to prepare for a first event, and how to run an internal CTF as the front door to a serious secure coding program.
Threat Modeling for Developers: STRIDE, PASTA, and OWASP Threat Dragon in 2026
Threat modeling is the design-phase practice that catches vulnerabilities while they are still cheap to fix. STRIDE walkthrough on a sample e-commerce app, PASTA for risk-heavy systems, LINDDUN for privacy, OWASP Threat Dragon and commercial tooling compared, and the anti-patterns that kill threat modeling programs.
The Secure SDLC Guide: From Requirements to Deployment in 2026
A secure SDLC (synonymous with security SDLC) is not a framework you buy — it is six phases stitched into how your team already ships: requirements, design, implementation, verification, release, and response. Full playbook comparing NIST SSDF, Microsoft SDL, OWASP SAMM and BSIMM, plus rollout patterns, failure modes, and the maturity arc from ad-hoc to measured.
PCI DSS Vulnerability Scanning: ASV Scans, Internal Scans, and Requirement 11.3 in 2026
PCI DSS Req 11.3 demands external ASV scans, authenticated internal scans, rescans after significant change, and documented remediation. Full operational guide — ASV vendor selection, failed-scan handling, and how scan findings feed the developer training loop.
PCI DSS Awareness Training: The 12.6.1 Compliance Guide for 2026
PCI DSS 4.0.1 Requirement 12.6.1 covers all personnel with CDE access — not just developers. Who is in scope, what content qualifies, how it differs from 6.2.2 developer training, and the evidence bundle your QSA expects in the 2026 assessment cycle.
Reviewing AI-Generated Code: The Code Security Training Checklist for Every Copilot Pull Request
AI-generated code needs a different review lens than human-written code. A 25-point code security training checklist covering injection, auth, crypto, supply chain, and error handling — with the team-level training habit that makes every reviewer fluent at PR velocity.
Secure Development Under the EU Cyber Resilience Act: What Developers Must Deliver by September 2026
The EU Cyber Resilience Act turns secure development into a legal obligation across every connected product. What Annex I actually requires, why September 2026 is the first real deadline, how the 10-year documentation retention works, the open-source carve-outs, and a concrete readiness checklist for both the 2026 and 2027 cutovers.
Secure Coding Training for PCI DSS 4.0.1: What Requirement 6.2.2 Actually Demands (And What Most Programs Miss)
PCI DSS 4.0.1 Requirement 6.2.2 is assessed for real in 2026. What the text actually demands (language-specific, role-mapped, hands-on), why most compliance training fails the new bar, and the seven-artifact evidence package your QSA will want to see.
MCP Security: The Developer's Complete Guide to Tool Poisoning, Prompt Injection, and the New AI Attack Surface
A 10,000+ word pillar guide to Model Context Protocol security. The full attack surface — tool poisoning, indirect prompt injection, rug pulls, confused deputy, exfiltration chains — mapped to OWASP LLM Top 10 and PCI DSS / EU CRA, with concrete secure server and client patterns.
The AI Productivity Paradox: Why Secure Coding Skills Matter More Than Ever
AI assistants generate more code and more vulnerabilities at the same time. Research shows developers with AI tools write less secure code while feeling more confident. Why secure coding skills matter more than ever in 2026.
Secure Code Review Best Practices for Modern Teams
Code review is one of the most effective ways to catch security vulnerabilities before they reach production. Here's how to build a review process that actually finds real bugs.
Why Traditional Security Training Fails (And What Works Instead)
Annual compliance videos and slide decks don't change developer behavior. We break down the evidence and explore what actually reduces vulnerabilities in production code.
OWASP Top 10 2025: What Changed and Why It Matters
The latest OWASP Top 10 brings significant changes to how we categorize and prioritize web application risks. Here's a deep dive into what moved, what's new, and what it means for your team.
Building a Developer Security Champions Program
Security champions bridge the gap between security and engineering. Learn how to identify, train, and empower developers who can drive security culture from within.
The Real Cost of Insecure Code: Beyond the Breach
Data breach headlines capture attention, but the true cost of insecure code runs much deeper — from developer velocity to technical debt to customer trust.
From Vulnerability to Fix: Teaching Developers to Think Like Attackers
The most effective secure coding training helps developers understand the attacker's perspective. Here's why offensive thinking produces better defensive code.