DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
How the Snyk CLI's exit codes are structured for CI/CD fa...
A mechanical look at how the Snyk CLI's 0/1/2/3 exit codes work, how --severity-threshold and --fail-on change them, and how to branch on them correctly in CI/CD.
DevOps Research and Assessment (DORA): The Four Metrics Explained
DevOps Research and Assessment (DORA) distilled a decade of research into four metrics that predict software delivery performance — here's what they measure and how security work actually affects them.
Why Automated Package Publishing Pipelines Are a Growing ...
From tj-actions to xz utils, attackers are hijacking CI/CD pipelines to poison packages at the source. Here's why publishing pipelines are the new frontline.
Continuous Integration Security: A Checklist
Continuous integration security means treating your CI pipeline as a production system, because an attacker who compromises your CI runner can ship malicious code as easily as your own engineers.
Shift Left Fatigue: Why Developers Are Pushing Back on Se...
Shift-left security handed developers new duties without removing old ones. Here's why teams are pushing back — and how better tooling fixes the real problem: noise, not ownership.
Why Security Training Completion Rates Don't Predict Secu...
Completion rates measure attendance, not behavior. Here's why training checkboxes don't predict secure coding outcomes, and what to measure instead.
Friction as a Security Metric: Measuring Tool Adoption Fa...
Security tools fail quietly when developers route around them. Here's how to measure friction as a leading indicator of adoption failure before it causes a breach.
The Champion Model: Do Embedded Security Champions Actual...
Security champion programs cut vulnerabilities only under specific conditions. Here's what BSIMM, GitLab, and OWASP data show about when the champion model actually works.
Why Security and Engineering KPIs Are Still Misaligned in...
Security teams chase CVSS scores and SLA compliance while engineering chases velocity and uptime—two scorecards that were never built to agree.
Policy Bypass Culture: What Happens When Deadlines Beat G...
When deadlines collide with security gates, developers bypass them quietly and often. Here's how policy bypass culture forms, what it costs, and how to stop it.
Measuring Developer Security Maturity Beyond Tool Coverage
Tool coverage tells you what's installed, not whether developers are actually getting safer. Here's how to build a maturity model around remediation velocity, recurrence, and secrets hygiene instead.
The Hidden Cost of Context Switching Between IDE and Secu...
Jumping between your IDE and security dashboards isn't free. Here's what context switching really costs developers, and how to eliminate it.