Safeguard
Tag

devsecops

Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.

706 articles

DevSecOps

Threat Modeling for Developers: A Lightweight Practical Guide

Threat modeling doesn't need a two-day workshop. A developer-friendly 2026 guide to modeling threats with the four-question framework and STRIDE — fast enough to run on a feature branch.

Jul 6, 20265 min read
DevSecOps

Azure Pipelines Security: Stop Treating YAML as Config

An Azure Pipeline is a program with attacker-controllable input, not a config file. This guide covers macro injection, task and template pinning, environment approvals, workload identity federation, and adding scanning.

Jul 5, 20266 min read
Vulnerability Analysis

GitLab Account Takeover via Password Reset (CVE-2023-7028) Explained

CVE-2023-7028 let attackers send GitLab password-reset links to an address they controlled — a zero-interaction account takeover scored 10.0. Here's the flaw and the fix.

Jul 5, 20265 min read
Security Guides

Secrets Management in Node.js: From .env to Zero-Standing-Credentials

Hardcoded tokens and committed .env files are still the fastest way to lose a cloud account. Here is a maturity ladder for Node.js secrets — from native --env-file to managed vaults and short-lived OIDC credentials.

Jul 5, 20265 min read
Security Guides

The Risks of Secrets in Environment Variables (2026)

Environment variables feel like the safe place to put secrets — but they leak through crash dumps, child processes, CI logs, and container layers. Here is where env-var secrets escape and what to do instead.

Jul 5, 20266 min read
DevSecOps

Secrets Scanning: Stop Leaking Credentials Before They Ship

A leaked API key in Git history is compromised the moment it is pushed — deleting the commit does not help. Here is how to build secrets scanning across your whole lifecycle, from pre-commit to Git history.

Jul 5, 20267 min read
DevSecOps

How to Build a Security Champions Program That Lasts

A security champions program scales AppSec without scaling headcount — if it's built right. A 2026 playbook for recruiting, enabling, and retaining champions, plus the metrics that prove it works.

Jul 5, 20265 min read
Cloud Security

Terraform Security Best Practices: Hardening Your IaC in 2026

Terraform provisions your entire cloud, which makes it your largest attack surface as code. Here are the practices that keep state, modules, and providers from becoming the breach.

Jul 5, 20265 min read
Concepts

What Is Shift-Left Security? A Plain-English Explanation

Shift-left security means moving security checks earlier in development — into the IDE, the commit, and the pull request — so flaws are caught while they're cheap to fix. Here's what it actually means and how to do it without slowing teams down.

Jul 5, 20267 min read
Security Guides

.NET Dependency Vulnerability Scanning: A Practical Guide

How to scan .NET dependencies for known vulnerabilities using dotnet list package, NuGet audit, and reachability-aware SCA, and how to wire it into CI so nothing ships with a known critical.

Jul 4, 20265 min read
AI Security

AI Code Review and Security: Reviewer, Reviewed, or Both?

AI can review pull requests and AI can write them — sometimes in the same workflow. Both roles carry security implications teams routinely underestimate. Here is how to get the benefit without the blind spots.

Jul 4, 20266 min read
Threat Research

Build Pipeline Compromise: When the Factory Ships the Malware

A build pipeline compromise injects malicious code during CI/CD, so the software you sign and ship is already backdoored. Here is how it works and how to defend.

Jul 4, 20266 min read
devsecops (Page 8) — Safeguard Blog