Safeguard
Tag

devsecops

Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.

706 articles

DevSecOps

The four-phase roadmap for adopting DevSecOps

Google Cloud's 2024 DORA report found AI-tool adoption correlated with worse delivery performance for the second year running — tool sprawl without a plan makes DevSecOps worse, not better.

Jul 8, 20267 min read
DevSecOps

DevSecOps on AWS: a reference architecture for CI/CD security gates

Amazon Inspector, CodePipeline manual approvals, and SLSA v1.0 (April 2023) give you the primitives — but nobody ships them wired together as one gated pipeline.

Jul 8, 20266 min read
DevSecOps

A reference architecture for SAST, SCA, and DAST gates that don't block developers

Log4Shell sat exploitable for 8 days before public disclosure in December 2021 — the canonical case for why security gates belong in CI, not just at release.

Jul 8, 20267 min read
DevSecOps

Protect the Environment: How Env-Var Leakage Happens in CI/CD

One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.

Jul 8, 20266 min read
DevSecOps

The GitOps security model: risks and controls

GitOps turns a Git repo into a deploy button — Argo CD's own CVE-2022-24348 path traversal proved what happens when that button isn't locked down.

Jul 8, 20266 min read
Application Security

Designing an application security program from first principles

Two backdoors nine years apart — event-stream in 2018, XZ Utils in 2024 — show why code-only AppSec programs fail. Here's a four-layer framework built from scratch.

Jul 8, 20267 min read
Cloud Security

Shifting Infrastructure-as-Code security left across the SDLC

Terrascan went archived in November 2025 and tfsec folded into Trivy in 2024 — IaC scanning is consolidating fast, and where you run it matters as much as which tool you pick.

Jul 8, 20266 min read
Kubernetes Security

Designing Least-Privilege Kubernetes RBAC: A Practical Guide

CVE-2018-1002105 (CVSS 9.8) let an unauthenticated request reach cluster-admin through pod exec endpoints — most RBAC breaches since trace back to the same handful of over-broad bindings.

Jul 8, 20267 min read
DevSecOps

A hands-on introduction to Rego for Kubernetes admission control

OPA graduated CNCF on January 29, 2021, and Rego v1 became the default syntax in OPA v1.0.0 (Dec 2024) — here's how to write your first admission-control policies.

Jul 8, 20266 min read
DevSecOps

Rego for intermediates: combining rules with AND/OR and writing actionable error messages

Rego has no `&&` or `||` operators — AND is implicit, OR means writing the same rule twice, and most teams miss both until a policy silently passes.

Jul 8, 20267 min read
DevSecOps

Rego for security engineers: a beginner's guide to OPA policy

Rego graduated from Styra research project to a CNCF-graduated standard in under five years. Here's how to write your first real OPA/Conftest policy.

Jul 8, 20267 min read
DevSecOps

Wiring SAST Findings Into ITSM: The Overlooked Lever for MTTR

The 2026 Verizon DBIR found median patch time hit 43 days, up from 32 — and much of that gap is ticket handoff friction, not fix difficulty.

Jul 8, 20266 min read
devsecops (Page 4) — Safeguard Blog