Best Practices
In-depth guides and analysis on best practices from the Safeguard engineering team.
252 articles
Fastify Security Posture in 2024
Fastify hit version 5.0 in September 2024 with a slimmer core, a plugin model that encourages correctness, and a security track record that genuinely distinguishes it from the Express crowd. Here is what I have learned auditing Fastify apps this year.
Database Platform Migration: Supply Chain
Database migrations touch every part of the software supply chain. This guide covers how to keep schemas, secrets, and data lineage secure during a platform change.
Build Server Compromise Investigation
A hands-on investigation guide for compromised build servers, from initial containment through rootkit checks and clean rebuild.
Legacy COBOL Supply Chain Modernization: A Pragmatic Playbook
Modernize the supply chain around COBOL systems without rewriting them. Build provenance, SBOMs, and policy gates for mainframe code that is not going anywhere.
CyberArk Conjur for Enterprise Secrets Management
Where Conjur fits in 2024 for enterprise secrets management, what it does well, where it hurts, and how to roll it out without drowning the platform team.
Incident Response Playbook: Supply Chain Compromise
A step-by-step playbook for responding to upstream dependency, build system, and vendor compromises, including roles, timelines, and stakeholder communications.
SvelteKit Supply Chain Considerations
SvelteKit's compiled-output philosophy gives it a smaller runtime footprint than React frameworks, but the build-time supply chain is just as complex. Here is what to watch for when you adopt Svelte in production.
AWS Step Functions Workflow Security
Step Functions workflows orchestrate everything from data pipelines to security automations. The workflow IAM role is almost always the most powerful thing in the stack. Here is how to lock it down.
Dependency Compromise Timeline Reconstruction
How to rebuild a precise timeline after a dependency has been compromised, using lockfile history, registry metadata, and CI logs.
Monolith to Microservices: Supply Chain Changes
What really happens to your software supply chain when you decompose a monolith into services, and how to avoid trading one risk for forty new ones.
Pydantic v2 Security Implications
Pydantic v2 rewrote the core in Rust and changed validation semantics. Here is what that means for security-sensitive code, from input coercion to ReDoS exposure.
Lessons from CrowdStrike: Rethinking How We Deploy Software Updates
The CrowdStrike outage wasn't just an EDR problem. It exposed fundamental weaknesses in how the entire industry handles software updates, from kernel drivers to SaaS platforms.