devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
How to Rotate Build Signing Keys Safely
A step-by-step tutorial for rotating Cosign and GPG build signing keys without breaking existing attestations, verification chains, or downstream consumers.
Docker Hub Rate Limit Changes and CI Impact
Docker's 2024 rate-limit reforms hit CI pipelines hard. Measured impact on 30 real build farms and the mirror and pull-through controls that fixed it.
AWS CDK Construct Library Security
CDK constructs are code that provisions infrastructure. Most teams audit the infrastructure but not the constructs. Here is how to think about construct library security and what to check.
FluxCD Security Model in Production
A production-focused look at FluxCD's security model, covering multi-tenancy isolation, source verification, image automation risks, and the CVE history behind the current defaults.
Jenkins + Maven Integration Security
Jenkins is still the most common Maven build driver in enterprise Java shops. It is also where most supply chain incidents start. Here is what to change before it becomes your problem.
Azure Bicep vs ARM: Security Comparison
Bicep and ARM templates produce the same deployments, but their security properties diverge — in module provenance, what-if analysis, registry trust, and review experience.
A Beginner's Guide to Threat Modeling Your Build Pipeline
Your CI system is a production system with worse access controls. A first threat model of the pipeline takes one whiteboard session and usually finds something ugly.
Spinnaker Deployment Security Patterns
Practical security patterns for Spinnaker deployments: account isolation, pipeline template governance, artifact binding, and the CVE history behind the current authentication defaults.
SecDevOps vs DevSecOps: Is There Actually a Difference?
The SecDevOps definition and the DevSecOps definition describe nearly identical practices, but the word order isn't purely cosmetic, it signals a real difference in where security sits in the pipeline.
NuGet Private Feed Security Hardening
Private NuGet feeds sit in the blind spot of most security programs. The hardening work is not glamorous but the failure modes are expensive.
US DoD Zero Trust: Software Dimensions
Where the DoD Zero Trust Reference Architecture meets the software supply chain, and what program offices are actually doing about it.
Drone CI Security Considerations
A security-focused look at Drone CI: runner isolation, secret handling, plugin risks, and the differences between Drone OSS, Enterprise, and the Harness transition.