Best Practices
In-depth guides and analysis on best practices from the Safeguard engineering team.
252 articles
IoT device security fundamentals: firmware integrity, credentials, and network isolation
One hardcoded Telnet password list built a 100,000-device botnet in 2016. A decade later, the same three failures still define most IoT breaches.
Secure code review: the checklist reviewers actually need
Broken access control affects nearly every tested app and XSS remains the #1 CWE overall — both catchable in review. Here is a language-agnostic PR checklist.
Ransomware defense strategy for engineering teams
Ransomware hit 44% of breaches in Verizon's 2025 DBIR, up from 32% a year prior. Here's the backup, access, and detection playbook that actually stops it.
Secure Coding Fundamentals: A No-Jargon Checklist for New Developers
Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.
AppSec anti-patterns to eliminate
23.8M secrets leaked on public GitHub in 2024 alone. Here are the AppSec anti-patterns behind numbers like that — and the concrete practices that replace them.
The security hygiene checklist most engineering orgs still skip
22% of breaches start with stolen credentials, per Verizon's 2025 DBIR. A quarter-long hygiene checklist — patching, MFA, secrets, least privilege — closes most of that gap.
Disaster recovery testing: a practical guide to tabletop, failover, and RTO/RPO drills
GitLab's 2017 outage revealed 5 backup mechanisms had silently failed for weeks — recovery took 18 hours because no one had ever test-restored one.
Disaster recovery testing methodologies compared
DR plans fail when they're never really tested. Here's how tabletop, simulation, parallel, and full interruption tests differ — and when each is worth the risk.
Securing Your Ruby Dev Environment on macOS: rbenv, rvm, and Checksums
60 malicious RubyGems downloaded ~275,000 times went undetected for years — here's how to actually verify what rbenv or rvm installs on your Mac.
Security considerations for authenticating CLI tools through corporate proxies
Two 2026 curl CVEs show proxy credentials leaking across redirects and reused connections — plus why .npmrc still stores proxy passwords in plaintext.
Writing your first Jest unit tests for security-critical JavaScript
Jest ships to ~41M weekly npm installs with assertions, mocking, and coverage built in — here's how to structure your first tests around security logic.
Mocking APIs for secure testing: MSW and json-server for error and auth flows
MSW intercepts requests at the network layer; json-server spins up a fake REST API in one command. Neither should ever touch a real backend or real credentials.