DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Chaos engineering for security resilience testing
A one-hour Cloudflare R2 outage in March 2025 traced back to a mistyped deploy flag during credential rotation — exactly the failure a security chaos experiment is built to catch first.
The DevSecOps Adoption Leadership Playbook
Datadog's 2026 State of DevSecOps found 87% of organizations have a known-exploited vulnerability live in production — the fix is incentive design, not another mandate.
The four-phase roadmap for adopting DevSecOps
Google Cloud's 2024 DORA report found AI-tool adoption correlated with worse delivery performance for the second year running — tool sprawl without a plan makes DevSecOps worse, not better.
DevSecOps on AWS: a reference architecture for CI/CD security gates
Amazon Inspector, CodePipeline manual approvals, and SLSA v1.0 (April 2023) give you the primitives — but nobody ships them wired together as one gated pipeline.
A reference architecture for SAST, SCA, and DAST gates that don't block developers
Log4Shell sat exploitable for 8 days before public disclosure in December 2021 — the canonical case for why security gates belong in CI, not just at release.
Protect the Environment: How Env-Var Leakage Happens in CI/CD
One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.
The GitOps security model: risks and controls
GitOps turns a Git repo into a deploy button — Argo CD's own CVE-2022-24348 path traversal proved what happens when that button isn't locked down.
Hardening CI/CD Pipelines End to End
A leaked Codecov credential let attackers read CI secrets from 23,000+ customers for two months in 2021. Here's how to close every stage of that gap.
A hands-on introduction to Rego for Kubernetes admission control
OPA graduated CNCF on January 29, 2021, and Rego v1 became the default syntax in OPA v1.0.0 (Dec 2024) — here's how to write your first admission-control policies.
Rego for intermediates: combining rules with AND/OR and writing actionable error messages
Rego has no `&&` or `||` operators — AND is implicit, OR means writing the same rule twice, and most teams miss both until a policy silently passes.
Rego for security engineers: a beginner's guide to OPA policy
Rego graduated from Styra research project to a CNCF-graduated standard in under five years. Here's how to write your first real OPA/Conftest policy.
Wiring SAST Findings Into ITSM: The Overlooked Lever for MTTR
The 2026 Verizon DBIR found median patch time hit 43 days, up from 32 — and much of that gap is ticket handoff friction, not fix difficulty.