Safeguard
Topic

Best Practices

In-depth guides and analysis on best practices from the Safeguard engineering team.

252 articles

Best Practices

Red team vs. blue team fundamentals: how to structure the exercise

MITRE ATT&CK went public in May 2015 to give red and blue teams a shared language — most organizations still run the two in total isolation.

Jul 12, 20266 min read
Best Practices

Webhook security best practices: HMAC signing, replay protection, and IP allowlisting

Stripe gives webhook signatures a 5-minute tolerance window; GitHub signs with HMAC-SHA256. Here's how to build inbound and outbound webhooks that survive both.

Jul 11, 20267 min read
Best Practices

Building a secure coding culture: training, champions, and incentives that stick

Verizon's 2025 DBIR found the human element in ~60% of breaches. A practical playbook for training, champions programs, and incentives that actually change developer behavior.

Jul 10, 20267 min read
Best Practices

Running internal CTFs to build real security skills on engineering teams

picoCTF drew 39,000 players in 2019 across 160 countries — proof that gamified security training scales. Here's how to run the same model internally.

Jul 10, 20266 min read
Best Practices

Auditing and pinning transitive Java dependencies with Maven and Gradle

Maven resolves version conflicts by nearest path, not highest version — one new direct dependency can silently reintroduce a patched CVE.

Jul 10, 20266 min read
Best Practices

What CISA's Secure by Design Pledge Actually Requires

CISA's Secure by Design pledge asks 68+ vendors for measurable one-year progress on 7 goals. Here's what those goals mean for engineering teams.

Jul 10, 20266 min read
Best Practices

The real ROI of shifting left: what early flaw detection actually saves

A 2025 data breach averages $4.44M globally and $10.22M in the US. Here's a defensible cost model for catching flaws before they ship, not after.

Jul 9, 20266 min read
Best Practices

Verifying open source package provenance with SLSA and Sigstore

A maintainer account takeover hid a backdoor in xz-utils for years. SLSA provenance and Sigstore signing are how you catch the next one before it ships.

Jul 9, 20267 min read
Best Practices

A Step-by-Step Methodology for Mapping and Prioritizing Attack Surface

CVE-2023-34362 sat in one internet-facing file-transfer server and still produced thousands of downstream breaches — attack surface mapping is what catches that server before Cl0p does.

Jul 8, 20267 min read
Best Practices

Running Capture the Flag exercises for internal security training

DEF CON CTF has run since 1996, yet most engineering orgs still train security awareness with slide decks instead of the format that actually built the industry.

Jul 8, 20267 min read
Best Practices

The code-to-cloud AppSec checklist: unifying code, dependency, container, and config security

Log4Shell and the XZ Utils backdoor both proved the same thing: a flaw in one layer is only as contained as your weakest disconnected tool.

Jul 8, 20267 min read
Best Practices

Data loss prevention for developers: stopping leaks before they hit the network

CWE-532 covers secrets logged in plaintext — the exact bug that led Twitter to reset every password on May 3, 2018. Network DLP can't catch it; your code has to.

Jul 8, 20267 min read
Best Practices (Page 2) — Supply Chain Security Blog | Safeguard