Best Practices
In-depth guides and analysis on best practices from the Safeguard engineering team.
252 articles
Security Champions With a Supply Chain Focus
Designing and running a security champions program specifically for supply chain risks, including recruitment, training, cadences, and measurable impact.
Reproducible Builds in the Go Ecosystem
Go's toolchain makes reproducible builds unusually tractable. Here is how to reach bit-for-bit builds across machines in 2023, and where the rough edges remain.
Flask Application Security: A Deep Dive
Flask gives you room to make mistakes. This is a long look at the patterns that keep Flask apps safe in 2023, covering sessions, extensions, Werkzeug, and Jinja.
Developer-Focused Security Awareness for Supply Chain
A supply-chain-specific developer awareness curriculum that replaces generic phishing drills with content engineers actually need, measured by behavior change.
Security Code Review Best Practices
How to make code reviews an effective security checkpoint without turning every PR into a week-long security audit.
Container Image Hardening Checklist
A comprehensive checklist for hardening your container images, from base image selection to runtime protections, with practical Dockerfile examples.
The End-of-Year Dependency Audit Ritual
Most dependency audits get done in a panic after a CVE lands. A planned year-end audit is cheaper, more thorough, and produces a backlog you can actually work through in Q1.
Open Source Policy Template for Enterprises
A practical template for crafting an enterprise open-source usage policy that balances developer freedom with security and compliance requirements.
Shifting Left Without Slowing Down
How to integrate security earlier in the development lifecycle without turning your CI pipeline into a bottleneck that developers hate.
Secure Coding Practices: A Developer's Guide
Practical secure coding habits every developer should build, covering input validation, authentication, dependency management, and more.
Why Dependency Pinning Alone Is Not Enough
Pinning dependencies feels like a complete answer to supply chain risk. It is not — and the gap between pinning and real integrity matters more in 2022 than ever.
A First-Principles Guide to Artifact Signing in 2022
Artifact signing is having a moment, but most teams skip the fundamentals. Here is the first-principles case for why you sign, what you sign, and who verifies.