devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
OWASP Training: How to Actually Run It for a Dev Team
OWASP training only sticks when it's tied to the vulnerabilities your own codebase actually has, not a generic slide deck run once a year.
Secure Docker Images: A Practical Checklist
A working checklist for building secure Docker images, from base image choice through image scanning, that you can actually apply to an existing Dockerfile this week.
Application Development Security: Building It Into the SDLC
Application development security only works when it's built into the software development lifecycle from the first commit, not bolted on before a release deadline.
DevSecOps Tools Comparison 2025: Choosing the Right Stack
The DevSecOps tooling landscape has exploded. From SAST to SCA to SBOM management, this guide compares the major categories and helps you build a coherent security toolchain.
Static Code Analysis Tools: The Open Source Options
Static code analysis tools open source teams actually use — Semgrep, CodeQL, Bandit, ESLint security plugins — and where each one's coverage runs out.
SAST vs DAST: When to Use Each (and Why Not Either/Or)
SAST and DAST test different layers of an application at different stages of the pipeline — the real question isn't which to pick, it's how to run both without duplicating effort.
Docker and Container Security Best Practices: A Combined Checklist
A single, practical checklist covering dockers and containers together — image build, runtime config, and CI gates — instead of treating Docker security and container security as separate problems.
Static Source Code Analysis Tools: A Practical Guide
A practical walkthrough of what static source code analysis tools actually check, where they miss, and how to pick one without buying a shelf-ware scanner.
GitLab CI/CD Security Hardening for 2025
A practical hardening playbook for GitLab 17.8 covering runner isolation, OIDC federation, CI variable scoping, and protected branch enforcement.
What Is a Security Champions Program?
AppSec teams are outnumbered 100 to 1 by developers. A security champions program is the only staffing model that scales — here is how to build one that lasts.
Prompt Injection as a Supply Chain Risk: When AI Dependencies Are Exploitable
Prompt injection is not just an application vulnerability. When LLMs process content from the software supply chain -- package descriptions, README files, commit messages -- injection becomes a supply chain attack vector.
Turborepo Monorepo Supply Chain Security
Turborepo makes large JavaScript monorepos fast, and speed changes how teams think about dependencies. The supply chain implications are subtle enough that a fast-moving team can be in trouble before anyone notices.