Every company says security is a core value. Few embed it as a design constraint. The difference shows up when things break.
- I get a call from a co-founder I’ve known for years. His company just raised $400M+ Series D. His voice is flat: “We have a problem.”
Same day, we’re on a call. He’s a skilled engineer — personally devastated. They leaked over 2 million user records. Home addresses. Phone numbers. The full profile. The data had been publicly accessible for three weeks before anyone noticed.
America was still divided over Covid. “Someone can use this data in a hate-action,” he said. He was right.
Within hours, we found it. An engineer had used a public HTTP repository as file storage for a database dump. A crawler fished it out.
The System Allowed It
The engineer wasn’t malicious. The architecture had no guardrails.
If you want the systematic framing for that, start here: Security Assurance — URE Case — 2/5 — Trust Boundaries.
The company grew as it should — fast, focused on product-market fit and revenue. They never implemented NIST CSF or any security framework. No policy blocking public objects. No scanning for PII in commits. An engineer could publish a database dump worldwide and nothing stopped him.
Most post-mortems stop here: blame the human, add a checkbox, move on. That misses the point.
The CNCF TAG Security whitepaper on Secure Defaults puts it directly:
“Security should be the fourth pillar in designing a cloud native system in conjunction with consistency, availability and partition tolerance.”
Security as the fourth pillar of CAP. Not an afterthought. A design constraint — like availability, like consistency.
Related: When the Constraint Isn’t Capacity is the reliability version of this failure mode: scaling around a defect turns “capacity work” into a slow-moving incident.
What Should Have Been There
CI/CD Pipeline Security
The pipeline had no sanity checks. Today, there’s no excuse. Adding security to CI/CD is trivial with modern tooling:
Secrets and PII detection: Gitleaks or TruffleHog in pre-commit hooks — catches credentials before they hit the repo.
Vulnerability scanning: Trivy scans containers, file systems, and IaC configs. Integrates with GitHub Actions in minutes. Blocks deployments on CRITICAL/HIGH findings.
IaC security: Checkov scans Terraform, Kubernetes manifests, and cloud configs for misconfigurations before they deploy.
Static analysis: Semgrep catches code-level vulnerabilities across languages.
Artifact signing: Cosign signs container images. If it’s not signed, it doesn’t deploy.
This last point matters beyond prevention. Signed, immutable artifacts give you traceability. When something breaks — and it will — you can trace an incident back to a commit, a pipeline run, a decision. That’s not about blame. That’s about learning. You can run real blameless post-mortems because the system recorded what happened.
This is how you embed a security-aware posture across all layers of the company. When the tooling catches mistakes early, flags issues without destroying careers, and creates space to learn — security becomes practice, not paperwork.
Runtime Guardrails
The application had no positive security model. Default-allow everywhere. No white-hat working with the dev/ops team.
What should exist: WAF with allowlist rules. API gateway policies blocking bulk data egress — no endpoint returns 2 million records without an alert. Object storage defaults set to private.
Identity and Network
Services trusted each other implicitly. Network position equaled authorization. Data could flow anywhere.
What should exist: SPIFFE/SPIRE for workload identity — cryptographic, not IP-based trust. Every service gets a short-lived, specific, certificate. No static credentials to steal, no tokens to rotate manually. The identity is the workload, not the network segment it happens to sit in.
Cilium with eBPF for kernel-level policy enforcement. Service mesh with mTLS by default. Egress policies that whitelist destinations.
This is where the industry is heading. When identity is cryptographic and ephemeral, the blast radius of any single compromise shrinks dramatically. You can’t exfiltrate data through a service that isn’t authorized to talk to the outside world — and that authorization is enforced at the kernel, not the application.
The Cost
People will misstep. Evolution is about encoding lessons into systems — not relying on humans to never err.
More than money, the business lost traction. They had to deal with crisis PR, cyber insurance claims, Big-4 consulting. Since they weren’t publicly traded, they didn’t have to worry about an SEC filing — that alone would have meant multi-million dollar initial costs and a second shockwave sending investors away, diminishing the company’s value overall. At a moment when they should have been focusing only on growth and revenue, they were in damage control. A lot of the cost is intangible, but it burned more than $1M just at the bootstrap of remediation.
Safety as Culture, Not Compliance
This incident wasn’t a failure of one engineer. It was a failure of organizational design.
This is also why I treat “security assurance” as a business resiliency practice, not a compliance project: Improving Business Resiliency Through Security Assurance.
A mature security posture isn’t a checklist you complete before audit. It’s a corporate-wide safety mentality, embedded in process, creating guardrails so siloed errors don’t bleed into business outcomes.
When an engineer can accidentally publish production data to the public internet — and it stays there for three weeks — the system failed, not the person. When there’s no automated check, no policy gate, no alert, the organization chose speed over safety. That’s a valid tradeoff in early stages. At $400M Series D, with 2 million users trusting you with their home addresses, it’s negligence.
The goal isn’t zero mistakes. Humans err. The goal is containment — architectural boundaries that prevent local failures from becoming company-wide crises. Blast radius reduction. Detection in minutes, not weeks. Remediation paths that exist before you need them.
This is the difference between ad-hoc security and a repeatable, measurable capability.
Security-aware posture means every layer — engineering, ops, product, leadership — understands that guardrails exist to protect the business, not slow it down. When that mentality is embedded, security stops being the team that says “no” and becomes the system that says “safe.”
The Pattern
Default-deny everywhere. Network, storage, identity. If it’s not explicitly permitted, it’s blocked.
Automate enforcement. Policies in code, not wikis.
Shift left, but don’t stop there. Pre-commit hooks catch mistakes early. Runtime controls catch what slips through.
Security as a design constraint. Not a feature. Not a team. A property of the system, like uptime.
The companies that get this right don’t have fewer incidents — they have smaller blast radius, faster detection, and clearer remediation paths. They build systems that assume failure and contain it.
Everything else is hope.