Best Practices
Oncall Rotation Design For Modern SecOps
Oncall rotations break for SecOps because the work is asynchronous and the alerts are noisy. Here is a rotation design that respects both, with the tooling to back it up.
Apr 3, 20266 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Oncall rotations break for SecOps because the work is asynchronous and the alerts are noisy. Here is a rotation design that respects both, with the tooling to back it up.
Every policy needs a bypass path or it will be routed around. The trick is making the bypass auditable, time-bound, and rare enough to remain meaningful.
A senior-engineer view of secret-scanning tools worth running in 2026: what TruffleHog, Gitleaks, GitGuardian, and platform-native scanners actually do well.
Public npm packages your org published years ago are now an attacker's best targets. Find them before someone else does.
Most TPRM programs tier vendors by spend. That misses the vendors who are cheap but catastrophic when they fail. Tiering by blast radius is the fix.
Most purple team exercises stop at the perimeter. A supply-chain-focused exercise probes the dependency graph, the build pipeline, and the trust assumptions in your SBOM.
A practical incident response playbook tailored for supply chain compromises — from initial detection through containment, eradication, and lessons learned.
An admitted workload is not a static one. Runtime drift detection turns the SBOM into a living contract and surfaces supply chain changes before they become incidents.
CMMC 2.0 and the EU Cyber Resilience Act both require obligations to flow down through your supply chain. Here is how to write the clauses and verify the compliance.
Weekly insights on software supply chain security, delivered to your inbox.