Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

A framework for scaling risk-based AppSec across many teams

40,009 CVEs were published in 2024 alone — a 38.83% jump over 2023. No security team can triage that volume by hand across dozens of engineering teams.

Jul 8, 20267 min read
DevSecOps

Security error budgets: gating risk instead of blocking everything

Google's SRE teams have spent an error budget on reliability since 2016 — applying the same model to security turns blanket blocking into risk-weighted gating.

Jul 8, 20267 min read
DevSecOps

Why semantic versioning and release channels matter for security tools

A backdoor sat in xz-utils 5.6.0 and 5.6.1 for weeks before Andres Freund caught it — stable distro channels, not luck, kept it out of most production systems.

Jul 8, 20266 min read
DevSecOps

Building a shift-left security culture developers actually buy into

Log4Shell sat in most Java codebases for years before Dec 2021 — shift-left tooling alone didn't stop it. Culture, placement, and incentives are what make it work.

Jul 8, 20267 min read
DevSecOps

CI/CD Supply Chain Attacks Explained: Anatomy and Defense

From SolarWinds to tj-actions, CI/CD pipelines are where one foothold reaches thousands of victims. This guide explains the anatomy of a pipeline supply chain attack and the layered defenses that stop it.

Jul 7, 20267 min read
DevSecOps

Security Regression Testing: Make Sure Fixed Vulnerabilities Stay Fixed

A vulnerability you patched last quarter that quietly comes back this quarter is worse than one you never fixed — because you thought it was handled. Here is how to build security regression testing that keeps fixes fixed.

Jul 7, 20266 min read
DevSecOps

Shift-Left Security: How to Implement It Without Breaking Developers

Shift-left security fails when it just means 'more scanners earlier.' A 2026 implementation guide to moving security into the developer workflow with precision — IDE, pre-commit, PR, and pipeline.

Jul 7, 20265 min read
DevSecOps

How to Report AppSec Risk to Your CISO

CVSS measures severity, not risk — and a slide of 4,000 raw findings tells a CISO nothing. Here's how to translate scan output into decisions.

Jul 7, 20267 min read
DevSecOps

Reducing Docker image build time without sacrificing security

Multi-stage builds and minimal base images can cut CI build times dramatically — and they're the same changes that shrink your CVE attack surface.

Jul 7, 20266 min read
DevSecOps

Software Composition Analysis Best Practices for Engineering Teams

CVE-2017-5638 was patched by Apache in March 2017, two months before Equifax was breached through it. Point-in-time SCA scans miss exactly this kind of drift.

Jul 7, 20267 min read
DevSecOps

Foundations for adopting AI coding tools securely in an engineering org

One engineering team cut critical vulnerability remediation from a week to 24 hours after wiring security checks into AI coding tools at the moment of code generation.

Jul 7, 20268 min read
DevSecOps

What a good AI remediation agent needs to fix dependencies safely

Snyk's CLI remediation agent pushed fix rates from 23% to 45% with an intelligence layer — but the harder problem is making an agent developers trust to touch their lockfile unsupervised.

Jul 7, 20266 min read
DevSecOps (Page 4) — Supply Chain Security Blog | Safeguard