secure-development
Safeguard articles tagged "secure-development" — guides, analysis, and best practices for software supply chain and application security.
25 articles
Secure code review: the checklist reviewers actually need
Broken access control affects nearly every tested app and XSS remains the #1 CWE overall — both catchable in review. Here is a language-agnostic PR checklist.
Integrating AI Tools Without Expanding Your Attack Surface
Stanford researchers found developers using AI coding assistants wrote more security bugs — and felt more confident in them. Here's how to adopt AI safely.
Building Secure VS Code Extensions: A Developer's Guide
VS Code extensions run as trusted Node.js code with full disk and network access and no permission model to fall back on. Here is how to build one that does not become the next supply chain incident.
NIST SSDF FAQ: SP 800-218, the Four Practice Groups, and Attestation
A precise FAQ on the NIST Secure Software Development Framework in 2026 — the four practice groups, the CISA self-attestation form, EO 14028 lineage, the AI augmentation, and the evidence behind it.
Introduction to Secure Software Development
Security is not a phase you bolt on at the end — it is a set of practices woven through every stage of building software. This guide introduces the secure development lifecycle, the practices that matter at each stage, and how to get started.
The NIST Secure Software Development Framework (SSDF), explained
NIST SP 800-218 is the framework behind federal secure-development attestations. Here's what its four practice groups ask of you and how to produce the evidence.
Secure Coding for Beginners: Writing Code That Resists Attack
Secure coding is not a separate discipline you bolt on later. It is a set of small habits you weave into the way you already write software. Here is a friendly introduction with a first exercise to try today.
Securing AI Coding Assistants: Guardrails That Hold
AI coding assistants are in nearly every IDE now. Banning them fails; trusting them blindly fails harder. The middle path is guardrails — technical controls that let assistants move fast without letting them ship the wrong thing.
AI Code Review and Security: Reviewer, Reviewed, or Both?
AI can review pull requests and AI can write them — sometimes in the same workflow. Both roles carry security implications teams routinely underestimate. Here is how to get the benefit without the blind spots.
ISO 27001 Annex A controls guide: the software and supplier set
ISO/IEC 27001:2022 restructured Annex A into 93 controls and added new ones for secure development and supply chain. Here is the subset that lands on engineering teams and how to evidence it.
GDPR for software developers: privacy by design in practice
GDPR is not just a legal team's problem. Data protection by design, security of processing, and processor due diligence all translate into code, dependencies, and architecture. Here is the developer's view.
PCI DSS 4.0 Requirement 6: the software security guide
Requirement 6 is where PCI DSS 4.0 turned application and software security into a continuous, evidenced discipline. Here is a clause-by-clause walkthrough of 6.2 through 6.5 and what auditors expect.