DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
A framework for scaling risk-based AppSec across many teams
40,009 CVEs were published in 2024 alone — a 38.83% jump over 2023. No security team can triage that volume by hand across dozens of engineering teams.
Security error budgets: gating risk instead of blocking everything
Google's SRE teams have spent an error budget on reliability since 2016 — applying the same model to security turns blanket blocking into risk-weighted gating.
Why semantic versioning and release channels matter for security tools
A backdoor sat in xz-utils 5.6.0 and 5.6.1 for weeks before Andres Freund caught it — stable distro channels, not luck, kept it out of most production systems.
Building a shift-left security culture developers actually buy into
Log4Shell sat in most Java codebases for years before Dec 2021 — shift-left tooling alone didn't stop it. Culture, placement, and incentives are what make it work.
CI/CD Supply Chain Attacks Explained: Anatomy and Defense
From SolarWinds to tj-actions, CI/CD pipelines are where one foothold reaches thousands of victims. This guide explains the anatomy of a pipeline supply chain attack and the layered defenses that stop it.
Security Regression Testing: Make Sure Fixed Vulnerabilities Stay Fixed
A vulnerability you patched last quarter that quietly comes back this quarter is worse than one you never fixed — because you thought it was handled. Here is how to build security regression testing that keeps fixes fixed.
Shift-Left Security: How to Implement It Without Breaking Developers
Shift-left security fails when it just means 'more scanners earlier.' A 2026 implementation guide to moving security into the developer workflow with precision — IDE, pre-commit, PR, and pipeline.
How to Report AppSec Risk to Your CISO
CVSS measures severity, not risk — and a slide of 4,000 raw findings tells a CISO nothing. Here's how to translate scan output into decisions.
Reducing Docker image build time without sacrificing security
Multi-stage builds and minimal base images can cut CI build times dramatically — and they're the same changes that shrink your CVE attack surface.
Software Composition Analysis Best Practices for Engineering Teams
CVE-2017-5638 was patched by Apache in March 2017, two months before Equifax was breached through it. Point-in-time SCA scans miss exactly this kind of drift.
Foundations for adopting AI coding tools securely in an engineering org
One engineering team cut critical vulnerability remediation from a week to 24 hours after wiring security checks into AI coding tools at the moment of code generation.
What a good AI remediation agent needs to fix dependencies safely
Snyk's CLI remediation agent pushed fix rates from 23% to 45% with an intelligence layer — but the harder problem is making an agent developers trust to touch their lockfile unsupervised.