devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
The four-phase roadmap for adopting DevSecOps
Google Cloud's 2024 DORA report found AI-tool adoption correlated with worse delivery performance for the second year running — tool sprawl without a plan makes DevSecOps worse, not better.
DevSecOps on AWS: a reference architecture for CI/CD security gates
Amazon Inspector, CodePipeline manual approvals, and SLSA v1.0 (April 2023) give you the primitives — but nobody ships them wired together as one gated pipeline.
A reference architecture for SAST, SCA, and DAST gates that don't block developers
Log4Shell sat exploitable for 8 days before public disclosure in December 2021 — the canonical case for why security gates belong in CI, not just at release.
Protect the Environment: How Env-Var Leakage Happens in CI/CD
One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.
The GitOps security model: risks and controls
GitOps turns a Git repo into a deploy button — Argo CD's own CVE-2022-24348 path traversal proved what happens when that button isn't locked down.
Designing an application security program from first principles
Two backdoors nine years apart — event-stream in 2018, XZ Utils in 2024 — show why code-only AppSec programs fail. Here's a four-layer framework built from scratch.
Shifting Infrastructure-as-Code security left across the SDLC
Terrascan went archived in November 2025 and tfsec folded into Trivy in 2024 — IaC scanning is consolidating fast, and where you run it matters as much as which tool you pick.
Designing Least-Privilege Kubernetes RBAC: A Practical Guide
CVE-2018-1002105 (CVSS 9.8) let an unauthenticated request reach cluster-admin through pod exec endpoints — most RBAC breaches since trace back to the same handful of over-broad bindings.
A hands-on introduction to Rego for Kubernetes admission control
OPA graduated CNCF on January 29, 2021, and Rego v1 became the default syntax in OPA v1.0.0 (Dec 2024) — here's how to write your first admission-control policies.
Rego for intermediates: combining rules with AND/OR and writing actionable error messages
Rego has no `&&` or `||` operators — AND is implicit, OR means writing the same rule twice, and most teams miss both until a policy silently passes.
Rego for security engineers: a beginner's guide to OPA policy
Rego graduated from Styra research project to a CNCF-graduated standard in under five years. Here's how to write your first real OPA/Conftest policy.
Wiring SAST Findings Into ITSM: The Overlooked Lever for MTTR
The 2026 Verizon DBIR found median patch time hit 43 days, up from 32 — and much of that gap is ticket handoff friction, not fix difficulty.