Safeguard
Tag

devsecops

Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.

706 articles

Culture

OWASP Training: How to Actually Run It for a Dev Team

OWASP training only sticks when it's tied to the vulnerabilities your own codebase actually has, not a generic slide deck run once a year.

May 6, 20255 min read
Containers

Secure Docker Images: A Practical Checklist

A working checklist for building secure Docker images, from base image choice through image scanning, that you can actually apply to an existing Dockerfile this week.

May 6, 20255 min read
DevSecOps

Application Development Security: Building It Into the SDLC

Application development security only works when it's built into the software development lifecycle from the first commit, not bolted on before a release deadline.

May 6, 20255 min read
DevSecOps

DevSecOps Tools Comparison 2025: Choosing the Right Stack

The DevSecOps tooling landscape has exploded. From SAST to SCA to SBOM management, this guide compares the major categories and helps you build a coherent security toolchain.

Apr 20, 20256 min read
AppSec

Static Code Analysis Tools: The Open Source Options

Static code analysis tools open source teams actually use — Semgrep, CodeQL, Bandit, ESLint security plugins — and where each one's coverage runs out.

Apr 17, 20255 min read
AppSec

SAST vs DAST: When to Use Each (and Why Not Either/Or)

SAST and DAST test different layers of an application at different stages of the pipeline — the real question isn't which to pick, it's how to run both without duplicating effort.

Apr 16, 20255 min read
Containers

Docker and Container Security Best Practices: A Combined Checklist

A single, practical checklist covering dockers and containers together — image build, runtime config, and CI gates — instead of treating Docker security and container security as separate problems.

Mar 18, 20255 min read
AppSec

Static Source Code Analysis Tools: A Practical Guide

A practical walkthrough of what static source code analysis tools actually check, where they miss, and how to pick one without buying a shelf-ware scanner.

Mar 11, 20256 min read
DevSecOps

GitLab CI/CD Security Hardening for 2025

A practical hardening playbook for GitLab 17.8 covering runner isolation, OIDC federation, CI variable scoping, and protected branch enforcement.

Feb 20, 20255 min read
Culture

What Is a Security Champions Program?

AppSec teams are outnumbered 100 to 1 by developers. A security champions program is the only staffing model that scales — here is how to build one that lasts.

Feb 11, 20256 min read
AI Security

Prompt Injection as a Supply Chain Risk: When AI Dependencies Are Exploitable

Prompt injection is not just an application vulnerability. When LLMs process content from the software supply chain -- package descriptions, README files, commit messages -- injection becomes a supply chain attack vector.

Jan 20, 20257 min read
DevSecOps

Turborepo Monorepo Supply Chain Security

Turborepo makes large JavaScript monorepos fast, and speed changes how teams think about dependencies. The supply chain implications are subtle enough that a fast-moving team can be in trouble before anyone notices.

Dec 10, 20248 min read
devsecops (Page 50) — Safeguard Blog