Best Practices
In-depth guides and analysis on best practices from the Safeguard engineering team.
252 articles
Red team vs. blue team fundamentals: how to structure the exercise
MITRE ATT&CK went public in May 2015 to give red and blue teams a shared language — most organizations still run the two in total isolation.
Webhook security best practices: HMAC signing, replay protection, and IP allowlisting
Stripe gives webhook signatures a 5-minute tolerance window; GitHub signs with HMAC-SHA256. Here's how to build inbound and outbound webhooks that survive both.
Building a secure coding culture: training, champions, and incentives that stick
Verizon's 2025 DBIR found the human element in ~60% of breaches. A practical playbook for training, champions programs, and incentives that actually change developer behavior.
Running internal CTFs to build real security skills on engineering teams
picoCTF drew 39,000 players in 2019 across 160 countries — proof that gamified security training scales. Here's how to run the same model internally.
Auditing and pinning transitive Java dependencies with Maven and Gradle
Maven resolves version conflicts by nearest path, not highest version — one new direct dependency can silently reintroduce a patched CVE.
What CISA's Secure by Design Pledge Actually Requires
CISA's Secure by Design pledge asks 68+ vendors for measurable one-year progress on 7 goals. Here's what those goals mean for engineering teams.
The real ROI of shifting left: what early flaw detection actually saves
A 2025 data breach averages $4.44M globally and $10.22M in the US. Here's a defensible cost model for catching flaws before they ship, not after.
Verifying open source package provenance with SLSA and Sigstore
A maintainer account takeover hid a backdoor in xz-utils for years. SLSA provenance and Sigstore signing are how you catch the next one before it ships.
A Step-by-Step Methodology for Mapping and Prioritizing Attack Surface
CVE-2023-34362 sat in one internet-facing file-transfer server and still produced thousands of downstream breaches — attack surface mapping is what catches that server before Cl0p does.
Running Capture the Flag exercises for internal security training
DEF CON CTF has run since 1996, yet most engineering orgs still train security awareness with slide decks instead of the format that actually built the industry.
The code-to-cloud AppSec checklist: unifying code, dependency, container, and config security
Log4Shell and the XZ Utils backdoor both proved the same thing: a flaw in one layer is only as contained as your weakest disconnected tool.
Data loss prevention for developers: stopping leaks before they hit the network
CWE-532 covers secrets logged in plaintext — the exact bug that led Twitter to reset every password on May 3, 2018. Network DLP can't catch it; your code has to.