Knowledge that
reduces risk
Pipeline security, DORA and NIS2 requirements, DevSecOps tools — written for CTOs and engineers, not for marketing.
CI/CD Hardening — what it is and why companies ignore it
The CI/CD pipeline has access to production keys, secrets and infrastructure. It is one of the weakest secured elements in technology organizations.
Read article →DORA and production system security — what the regulation actually says
The DORA regulation has been in effect since January 2025. Articles 9 and 10 address ICT system security — including CI/CD pipelines. We explain what the regulation actually requires.
NIS2 and the software supply chain — new obligations for technology companies
The NIS2 directive extends security responsibility across entire supply chains. Technology companies supplying to entities covered by the directive face new requirements.
Secret leaks in CI/CD pipelines — scale of the problem and mechanisms
Secrets in pipelines leak regularly — often not through attacks but through configuration errors that exist for years. We describe the mechanisms and scale of the phenomenon.
SBOM — why the software bill of materials is becoming a market requirement
Software Bill of Materials is a document that describes what software is built from. Regulations and Enterprise requirements mean that its absence is starting to block sales.
Long-lived tokens in CI/CD — why they are a problem nobody sees
Static API keys and cloud access tokens in pipelines are one of the most common attack vectors against infrastructure. The problem is structural, not personal.
Policy-as-Code — when security policy exists only on paper
Most organizations have security policies. Few have mechanisms that actually enforce them. The difference between the two becomes apparent during an incident.
Artifact integrity in DevOps — the gap most organizations ignore
Between build and production deployment an artifact can be replaced. Without an integrity verification mechanism — there is no way to detect it. This is one of the most serious gaps in the software supply chain.
Vendor Risk Assessment — what it looks like from the buyer's side
The Enterprise client's security department sends a questionnaire with 150 questions. What they look for, what is a red flag, and why lack of documentation is a worse signal than admitting to a vulnerability.
SOC 2 Type II and the CI/CD pipeline — what the auditor actually verifies
SOC 2 Type II confirms that security controls have been working for at least 6 months. Auditors verify the CI/CD pipeline as part of the organization's ICT system — and they know what to look for.
Why DevSecOps slows down teams — and when it doesn't have to
Most negative experiences with implementing security in pipelines stem from implementation errors, not from the DevSecOps idea itself. We describe where resistance comes from and what causes it.
Zero Trust in the context of DevSecOps — a principle you cannot ignore
Zero Trust is a security architecture based on the assumption that no user, system or network should be trusted by default. In the context of CI/CD, this means a fundamental shift in thinking about access.
GitHub Actions — 10 configuration mistakes I see in every audit
GITHUB_TOKEN with write on everything, actions without SHA pinning, secrets in logs — 10 mistakes that co-occur and reinforce each other.
Enterprise client security questionnaire — what they check and how to prepare
VRA blocks the contract. Analysts look for answer consistency, knowledge of your own environment and evidence — not declarations.
Evidence Pack — what it is and why the auditor wants it
An auditor doesn't certify an organization for good will — they certify based on evidence. What is an Evidence Pack and why it is difficult to compile on your own.
Cost of data breaches and CI/CD incidents — what the data says
IBM, Verizon, GitGuardian — what the data says about security incident costs and why companies selling to Enterprise pay double.