Safeguard
Tag

devsecops

Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.

706 articles

DevSecOps

How to Rotate Build Signing Keys Safely

A step-by-step tutorial for rotating Cosign and GPG build signing keys without breaking existing attestations, verification chains, or downstream consumers.

Oct 8, 20246 min read
DevSecOps

Docker Hub Rate Limit Changes and CI Impact

Docker's 2024 rate-limit reforms hit CI pipelines hard. Measured impact on 30 real build farms and the mirror and pull-through controls that fixed it.

Oct 3, 20245 min read
DevSecOps

AWS CDK Construct Library Security

CDK constructs are code that provisions infrastructure. Most teams audit the infrastructure but not the constructs. Here is how to think about construct library security and what to check.

Sep 25, 20247 min read
DevSecOps

FluxCD Security Model in Production

A production-focused look at FluxCD's security model, covering multi-tenancy isolation, source verification, image automation risks, and the CVE history behind the current defaults.

Sep 10, 20247 min read
DevSecOps

Jenkins + Maven Integration Security

Jenkins is still the most common Maven build driver in enterprise Java shops. It is also where most supply chain incidents start. Here is what to change before it becomes your problem.

Sep 8, 20247 min read
DevSecOps

Azure Bicep vs ARM: Security Comparison

Bicep and ARM templates produce the same deployments, but their security properties diverge — in module provenance, what-if analysis, registry trust, and review experience.

Aug 25, 20248 min read
Engineering

A Beginner's Guide to Threat Modeling Your Build Pipeline

Your CI system is a production system with worse access controls. A first threat model of the pipeline takes one whiteboard session and usually finds something ugly.

Aug 25, 20247 min read
DevSecOps

Spinnaker Deployment Security Patterns

Practical security patterns for Spinnaker deployments: account isolation, pipeline template governance, artifact binding, and the CVE history behind the current authentication defaults.

Aug 18, 20247 min read
DevSecOps

SecDevOps vs DevSecOps: Is There Actually a Difference?

The SecDevOps definition and the DevSecOps definition describe nearly identical practices, but the word order isn't purely cosmetic, it signals a real difference in where security sits in the pipeline.

Aug 14, 20245 min read
DevSecOps

NuGet Private Feed Security Hardening

Private NuGet feeds sit in the blind spot of most security programs. The hardening work is not glamorous but the failure modes are expensive.

Jul 30, 20247 min read
Regulatory Compliance

US DoD Zero Trust: Software Dimensions

Where the DoD Zero Trust Reference Architecture meets the software supply chain, and what program offices are actually doing about it.

Jul 25, 20247 min read
DevSecOps

Drone CI Security Considerations

A security-focused look at Drone CI: runner isolation, secret handling, plugin risks, and the differences between Drone OSS, Enterprise, and the Harness transition.

Jul 15, 20248 min read
devsecops (Page 52) — Safeguard Blog