Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

376 articles

DevSecOps

Secure SDLC: A Practical Guide to Embedding Security Gates in Every Phase

NIST finalized the Secure Software Development Framework in February 2022, yet most teams still bolt security on at release. Here's where the gates actually belong.

Jul 16, 20267 min read
DevSecOps

Building AppSec Training Programs That Actually Change Behavior

OWASP's 2021 Top 10 added Insecure Design as its largest category by CWE count, yet most developer training still teaches syntax, not decisions.

Jul 15, 20266 min read
DevSecOps

Does gamification actually make security training work?

picoCTF drew 18,000+ participants in 2025, but research shows points and badges boost engagement far more reliably than they change security behavior.

Jul 15, 20266 min read
DevSecOps

Securing Secrets and Environment Variables in GitHub Actions

A tag-pinned GitHub Action used by 23,000+ repos was rewritten to dump CI memory in March 2025 — here's how OIDC and SHA-pinning would have stopped it.

Jul 15, 20266 min read
DevSecOps

A framework for consolidating SAST, DAST, and SCA tools

Enterprises run 45 security tools on average, and 50+ tool stacks detect incidents 8% worse. Here's when AppSec consolidation actually pays off.

Jul 15, 20266 min read
DevSecOps

Building a security-first engineering culture

Only 16.2% of orgs deploy on demand, per DORA's 2025 report. The gap between elite and low performers is culture, not tooling — here's how CISOs close it.

Jul 14, 20266 min read
DevSecOps

The secure SDLC implementation guide: gates for every phase

NIST's SSDF names four practice groups, but most teams bolt security onto one phase. Here's how to gate design, code, build, and release instead.

Jul 14, 20267 min read
DevSecOps

DevSecOps best practices for secure builds: an 8-point SDLC framework

Log4Shell (Dec 2021) and the XZ Utils backdoor (Mar 2024) exposed two different SDLC failure modes. An 8-point framework closes both.

Jul 13, 20266 min read
DevSecOps

Why developers ignore security tools, and how to fix it

Verizon's 2025 DBIR found only 54% of edge-device vulnerabilities get fully remediated within a year. The gap isn't awareness — it's friction and delay.

Jul 13, 20266 min read
DevSecOps

Building security programs with limited headcount

The developer-to-security ratio is roughly 100:1. A framework for scaling AppSec impact through automation and enablement when hiring isn't the answer.

Jul 12, 20266 min read
DevSecOps

Securing Playwright E2E Tests in GitHub Actions Without Leaking Secrets

A 2025 supply-chain attack on tj-actions/changed-files hit 23,000+ repos and dumped secrets into public logs — the same CI patterns power most Playwright pipelines.

Jul 12, 20267 min read
DevSecOps

Piping security findings into your observability stack

OCSF just cleared ITU review for ratification by June 2026 — here's how to route vulnerability and scan data into Datadog or New Relic without drowning your on-call rotation.

Jul 12, 20266 min read
DevSecOps — Supply Chain Security Blog | Safeguard