infrastructure-security
Safeguard articles tagged "infrastructure-security" — guides, analysis, and best practices for software supply chain and application security.
27 articles
Terraform Cloud security integration guide
A practical breakdown of Terraform Cloud security: state file exposure, Sentinel/OPA policy gaps, Run Tasks trust risks, and drift monitoring.
Detecting drift between IaC and live cloud infrastructure
IaC and live cloud state drift apart within days of every deploy. Here's how drift detection actually works, why it matters, and how to close the gap fast.
Introduction to Open Policy Agent and Rego
A concrete walkthrough of Open Policy Agent and Rego — how OPA evaluates decisions, a runnable policy example, and where it fits in supply chain security.
Ansible playbook security scanning
Hardcoded secrets, unrestricted become, and injection-prone shell tasks turn Ansible playbooks into a single point of compromise across every host they touch.
Cloud Security Posture Management (CSPM) explained
CSPM explained: what it checks, why Gartner created the category in 2019, how it differs from CWPP/CNAPP, and why raw findings alone don't stop breaches.
Cloud misconfiguration as the top cause of cloud breaches
Capital One, Toyota, and a single Azure endpoint that leaked 65,000 companies' data all trace back to one root cause: cloud misconfiguration.
Applying CIS Benchmarks to cloud infrastructure
CIS Benchmarks turn "be secure" into testable checks for AWS, Azure, and GCP — here's how to move from annual audit to continuous enforcement.
Applying least privilege IAM in cloud-native environments
Least privilege IAM fails in practice because permissions are granted for convenience and rarely revoked. Here's how to fix that at cloud scale.
Securing managed Kubernetes clusters with IaC scanning
IaC scanning catches Kubernetes RBAC, network, and IAM misconfigurations in Terraform and Helm before they ever reach EKS, GKE, or AKS clusters.
The cost of cloud misconfiguration breaches
New breach-cost data shows cloud misconfigurations now cost millions per incident and take months to detect — here's what's driving the trend and how to close the gap.
When DNSSEC Goes Wrong: The .de TLD Signing Failure That Took Down German Domains (May 5, 2026)
On May 5, 2026, DENIC published unvalidatable DNSSEC signatures for the .de zone after a deployment defect made its signer generate three key pairs instead of one. Validating resolvers worldwide, including Cloudflare's 1.1.1.1, were forced to return SERVFAIL.
What is Policy as Code
Policy as code turns security and compliance rules into version-controlled, testable code enforced automatically in CI/CD, admission control, and runtime.