$ tag: DevSecOps
# All the articles with the tag "DevSecOps".
-
The Rise of Supply Chain Attacks: Why 2025–2026 Changed Everything
Supply chain attacks have evolved from rare, high-profile incidents into industrialized, automated campaigns targeting the open-source ecosystem at scale. The software supply chain is no longer a side door — it's the primary attack surface of the modern era.
-
Introducing OWASP ThreatAtlas: Collaborative Threat Modeling at Scale
An introduction to OWASP ThreatAtlas — a collaborative platform for creating, tracking, and mitigating application threats — and the story behind initiating the project.
-
DAST with OWASP ZAP in CI/CD Pipelines
Dynamic Application Security Testing often gets skipped because it's hard to automate. Here's how to integrate OWASP ZAP into your pipeline without it becoming a blocker.
-
EPSS: A Smarter Way to Prioritize CVEs
CVSS scores alone are a poor guide for prioritization. EPSS uses real exploit data to tell you what's actually being exploited in the wild — and that changes everything.
-
Hardening GitHub Actions Workflows
GitHub Actions is powerful and widely trusted — which makes misconfigured workflows a high-value attack target. Here's how to lock them down.
-
Software Supply Chain Security and SBOMs
What SBOMs actually are, why they matter after Log4Shell and SolarWinds, and how to generate and use them in practice.
-
Secrets Management in CI/CD Pipelines
How to stop treating secrets as an afterthought in your pipelines — and what actually works in practice.
-
Why I Started Building ScanDog
After a decade of security engineering and watching teams drown in vulnerability noise, I decided to build the tool I always wished existed.
-
Comparing four popular Kubernetes policy engines
A comprehensive comparison of OPA Gatekeeper, Kyverno, Kubewarden, and jsPolicy for Kubernetes policy enforcement
-
Scan entire a Terraform repository by Checkov
How to scan entire Terraform repository using Checkov with bash script solution