devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
Threat Modeling for Developers: A Lightweight Practical Guide
Threat modeling doesn't need a two-day workshop. A developer-friendly 2026 guide to modeling threats with the four-question framework and STRIDE — fast enough to run on a feature branch.
Azure Pipelines Security: Stop Treating YAML as Config
An Azure Pipeline is a program with attacker-controllable input, not a config file. This guide covers macro injection, task and template pinning, environment approvals, workload identity federation, and adding scanning.
GitLab Account Takeover via Password Reset (CVE-2023-7028) Explained
CVE-2023-7028 let attackers send GitLab password-reset links to an address they controlled — a zero-interaction account takeover scored 10.0. Here's the flaw and the fix.
Secrets Management in Node.js: From .env to Zero-Standing-Credentials
Hardcoded tokens and committed .env files are still the fastest way to lose a cloud account. Here is a maturity ladder for Node.js secrets — from native --env-file to managed vaults and short-lived OIDC credentials.
The Risks of Secrets in Environment Variables (2026)
Environment variables feel like the safe place to put secrets — but they leak through crash dumps, child processes, CI logs, and container layers. Here is where env-var secrets escape and what to do instead.
Secrets Scanning: Stop Leaking Credentials Before They Ship
A leaked API key in Git history is compromised the moment it is pushed — deleting the commit does not help. Here is how to build secrets scanning across your whole lifecycle, from pre-commit to Git history.
How to Build a Security Champions Program That Lasts
A security champions program scales AppSec without scaling headcount — if it's built right. A 2026 playbook for recruiting, enabling, and retaining champions, plus the metrics that prove it works.
Terraform Security Best Practices: Hardening Your IaC in 2026
Terraform provisions your entire cloud, which makes it your largest attack surface as code. Here are the practices that keep state, modules, and providers from becoming the breach.
What Is Shift-Left Security? A Plain-English Explanation
Shift-left security means moving security checks earlier in development — into the IDE, the commit, and the pull request — so flaws are caught while they're cheap to fix. Here's what it actually means and how to do it without slowing teams down.
.NET Dependency Vulnerability Scanning: A Practical Guide
How to scan .NET dependencies for known vulnerabilities using dotnet list package, NuGet audit, and reachability-aware SCA, and how to wire it into CI so nothing ships with a known critical.
AI Code Review and Security: Reviewer, Reviewed, or Both?
AI can review pull requests and AI can write them — sometimes in the same workflow. Both roles carry security implications teams routinely underestimate. Here is how to get the benefit without the blind spots.
Build Pipeline Compromise: When the Factory Ships the Malware
A build pipeline compromise injects malicious code during CI/CD, so the software you sign and ship is already backdoored. Here is how it works and how to defend.