Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

Chaos engineering for security resilience testing

A one-hour Cloudflare R2 outage in March 2025 traced back to a mistyped deploy flag during credential rotation — exactly the failure a security chaos experiment is built to catch first.

Jul 8, 20267 min read
DevSecOps

The DevSecOps Adoption Leadership Playbook

Datadog's 2026 State of DevSecOps found 87% of organizations have a known-exploited vulnerability live in production — the fix is incentive design, not another mandate.

Jul 8, 20267 min read
DevSecOps

The four-phase roadmap for adopting DevSecOps

Google Cloud's 2024 DORA report found AI-tool adoption correlated with worse delivery performance for the second year running — tool sprawl without a plan makes DevSecOps worse, not better.

Jul 8, 20267 min read
DevSecOps

DevSecOps on AWS: a reference architecture for CI/CD security gates

Amazon Inspector, CodePipeline manual approvals, and SLSA v1.0 (April 2023) give you the primitives — but nobody ships them wired together as one gated pipeline.

Jul 8, 20266 min read
DevSecOps

A reference architecture for SAST, SCA, and DAST gates that don't block developers

Log4Shell sat exploitable for 8 days before public disclosure in December 2021 — the canonical case for why security gates belong in CI, not just at release.

Jul 8, 20267 min read
DevSecOps

Protect the Environment: How Env-Var Leakage Happens in CI/CD

One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.

Jul 8, 20266 min read
DevSecOps

The GitOps security model: risks and controls

GitOps turns a Git repo into a deploy button — Argo CD's own CVE-2022-24348 path traversal proved what happens when that button isn't locked down.

Jul 8, 20266 min read
DevSecOps

Hardening CI/CD Pipelines End to End

A leaked Codecov credential let attackers read CI secrets from 23,000+ customers for two months in 2021. Here's how to close every stage of that gap.

Jul 8, 20268 min read
DevSecOps

A hands-on introduction to Rego for Kubernetes admission control

OPA graduated CNCF on January 29, 2021, and Rego v1 became the default syntax in OPA v1.0.0 (Dec 2024) — here's how to write your first admission-control policies.

Jul 8, 20266 min read
DevSecOps

Rego for intermediates: combining rules with AND/OR and writing actionable error messages

Rego has no `&&` or `||` operators — AND is implicit, OR means writing the same rule twice, and most teams miss both until a policy silently passes.

Jul 8, 20267 min read
DevSecOps

Rego for security engineers: a beginner's guide to OPA policy

Rego graduated from Styra research project to a CNCF-graduated standard in under five years. Here's how to write your first real OPA/Conftest policy.

Jul 8, 20267 min read
DevSecOps

Wiring SAST Findings Into ITSM: The Overlooked Lever for MTTR

The 2026 Verizon DBIR found median patch time hit 43 days, up from 32 — and much of that gap is ticket handoff friction, not fix difficulty.

Jul 8, 20266 min read
DevSecOps (Page 3) — Supply Chain Security Blog | Safeguard