DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
376 articles
Secure SDLC: A Practical Guide to Embedding Security Gates in Every Phase
NIST finalized the Secure Software Development Framework in February 2022, yet most teams still bolt security on at release. Here's where the gates actually belong.
Building AppSec Training Programs That Actually Change Behavior
OWASP's 2021 Top 10 added Insecure Design as its largest category by CWE count, yet most developer training still teaches syntax, not decisions.
Does gamification actually make security training work?
picoCTF drew 18,000+ participants in 2025, but research shows points and badges boost engagement far more reliably than they change security behavior.
Securing Secrets and Environment Variables in GitHub Actions
A tag-pinned GitHub Action used by 23,000+ repos was rewritten to dump CI memory in March 2025 — here's how OIDC and SHA-pinning would have stopped it.
A framework for consolidating SAST, DAST, and SCA tools
Enterprises run 45 security tools on average, and 50+ tool stacks detect incidents 8% worse. Here's when AppSec consolidation actually pays off.
Building a security-first engineering culture
Only 16.2% of orgs deploy on demand, per DORA's 2025 report. The gap between elite and low performers is culture, not tooling — here's how CISOs close it.
The secure SDLC implementation guide: gates for every phase
NIST's SSDF names four practice groups, but most teams bolt security onto one phase. Here's how to gate design, code, build, and release instead.
DevSecOps best practices for secure builds: an 8-point SDLC framework
Log4Shell (Dec 2021) and the XZ Utils backdoor (Mar 2024) exposed two different SDLC failure modes. An 8-point framework closes both.
Why developers ignore security tools, and how to fix it
Verizon's 2025 DBIR found only 54% of edge-device vulnerabilities get fully remediated within a year. The gap isn't awareness — it's friction and delay.
Building security programs with limited headcount
The developer-to-security ratio is roughly 100:1. A framework for scaling AppSec impact through automation and enablement when hiring isn't the answer.
Securing Playwright E2E Tests in GitHub Actions Without Leaking Secrets
A 2025 supply-chain attack on tj-actions/changed-files hit 23,000+ repos and dumped secrets into public logs — the same CI patterns power most Playwright pipelines.
Piping security findings into your observability stack
OCSF just cleared ITU review for ratification by June 2026 — here's how to route vulnerability and scan data into Datadog or New Relic without drowning your on-call rotation.