Your Security Is Probably an Accident: Designing Cybersecurity Into the System, Not the Sprint

Bygaz

Why this matters right now

Most teams didn’t design their security posture. It just…emerged.

  • Identity: “We’ll wire Okta/AAD later.”
  • Secrets: “Put it in the CI variable store for now.”
  • Cloud security: “We’ll run a scanner before launch.”
  • Supply chain: “We pin dependencies, mostly.”
  • Incident response: “We have PagerDuty; we’ll figure it out.”

That worked when:
– Your blast radius was a handful of VMs.
– Your dependency graph fit on one whiteboard.
– Your infra footprint was a single cloud + single region.

Today, that’s wrong by default:

  • Identity is not a login page; it’s the graph that governs every machine-to-machine call.
  • Secrets are not “things in Vault”; they’re the life-cycle from creation → delivery → rotation → revocation.
  • Cloud security posture management (CSPM) is not a dashboard; it’s whether misconfigurations are structurally hard or easy.
  • Supply chain risk is not “Log4j but again”; it’s every build, artifact, and plugin you quietly glued together.
  • Incident response is not a runbook; it’s your ability to answer, fast: “What actually has access to what, and how do we cut it off?”

Cybersecurity by design means: the safest behavior is the default, not the bolted-on exception. That’s the only way you get both safety and velocity at scale.

What’s actually changed (not the press release)

What’s fundamentally different from 5–10 years ago:

1. Identity is now your perimeter

  • Most access is over the internet or flat internal networks.
  • The “perimeter” is: Can this identity assume that role, use that token, or call that API?
  • Machine identities (workloads, services, CI runners) now outnumber human users by 10–100x in many orgs.

This means:
– One compromised CI token can be worse than one compromised production admin login.
– Privilege creep via role chaining is the new flat network.

2. Secret sprawl is in the build and runtime, not just config

  • Your secrets exist in:
    • IaC (Terraform, CloudFormation, Pulumi) if you’re sloppy.
    • CI/CD pipelines and their plugin ecosystems.
    • Container images and layers.
    • Local dev tooling (env files, profiles, browser storage).
  • Short-lived credentials are more common, but the systems that mint them are often under-protected.

3. Cloud security posture is a continuous state, not a review step

  • Everything is API-driven and mutable:
    • A single bad “fix-forward” commit to Terraform can expose an S3 bucket or open up a security group.
    • Third-party tools and SaaS integrations mint new keys, roles, and callback URLs continuously.
  • The question is no longer “Are we compliant?” but:
    • “How fast can we detect and correct drift from our baseline?”

4. The supply chain is now your largest attack surface

  • Your product:
    • Third-party libraries (open source and commercial).
    • Build tools, runners, plugins, base images.
    • Deployed artifacts: containers, functions, or machine images.
  • Attackers stopped going for the front door and now:
    • Compromise a developer laptop, poison a build step, or exploit a CI plugin.
    • Abuse “trusted” automation to push legit-signed malicious artifacts.

5. Incident response is API operations

  • Containment is now:
    • Revoking tokens and rotating keys.
    • Breaking trust chains between services.
    • Modifying IAM, network policies, and runtime policies quickly and safely.
  • If your IR plan can’t be executed via code + standard change process, it mostly doesn’t exist.

How it works (simple mental model)

Designing cybersecurity into your stack can be reduced to five graphs you must control:

  1. Identity Graph – who/what can act as whom
  2. Secret Graph – where sensitive material flows and lives
  3. Infra Graph – how resources connect and are exposed
  4. Supply Chain Graph – how code becomes production artifacts
  5. Response Graph – how you change the first four in an emergency

If your team can draw and query these graphs, you have a shot at “security by design.”

1. Identity graph

Questions you should be able to answer programmatically:

  • For a given human, service, or CI job:
    • What roles can it assume? Under which conditions?
    • What data planes and admin planes can it touch?
  • For any high-privilege role:
    • What are all the paths that can reach it? (Users, services, federation, access keys)

Design goal:
– Identities are narrowly scoped, time-bounded, and auditable.
– Cross-account / cross-project access is explicit and minimized.

2. Secret graph

You need visibility on:

  • Where each secret is:
    • Issued: what system created it?
    • Stored: which stores, env vars, config, images?
    • Used: which workloads actually consume it?
  • Rotation:
    • Can you rotate without redeploying everything?
    • Do you know which consumers will break?

Design goal:
– High-value secrets are:
– Short-lived.
– Fetched just-in-time.
– Traced from issuance to usage.

3. Infra graph

Cloud security posture in simple terms:

  • For each resource (bucket, DB, queue, function, cluster):
    • What identities can access it, from what network paths?
    • Is it internet reachable, directly or transitively?
  • For each ingress point:
    • What’s the auth model?
    • What’s the downstream blast radius?

Design goal:
– Default-deny for network and identity paths.
– A thin, well-understood “edge” with clear auth and routing.

4. Supply chain graph

You’re mapping:

  • Build inputs:
    • Source repos, dependencies, base images, plugins.
  • Build processes:
    • CI runners, build steps, artifact signing, registries.
  • Deploy paths:
    • Which pipelines can reach which environments?

Design goal:
– Every production artifact:
– Has a provenance story (who/what/when/how).
– Comes from a minimal, auditable build process.

5. Response graph

Your ability to change state quickly:

  • For any given secret, role, environment, or service:
    • What’s the sequence of actions to isolate or revoke it?
    • Can you do this safely at 2 a.m. without the “one infra guru”?

Design goal:
– Playbooks are:
– Scriptable.
– Testable in lower environments.
– Owned by product teams, not “infosec-only docs.”

Where teams get burned (failure modes + anti-patterns)

Failure mode 1: “SSO is done, we’re secure”

Pattern:
– Central SSO for humans, no coherent identity story for services and automation.

Impact:
– A compromised CI runner token can provision infra, update code, or access data far beyond any single human account.

Anti-pattern signs:
– Long-lived CI tokens with admin rights.
– Shared “ops” IAM users/keys.
– Service accounts reused across multiple services.

Failure mode 2: Vault installed, secrets still everywhere

Pattern:
– Secrets manager exists, but:
– Hard-coded credentials in IaC, code, or Git history.
– Secrets copied into CI vars or environment files “for convenience.”

Impact:
– You can’t safely rotate anything because you don’t know where it all lives.

Anti-pattern signs:
– “We can’t rotate that DB password; it’ll break something.”
– Secret values show up frequently in application logs.

Failure mode 3: “We run a CSPM; it’s green”

Pattern:
– Tooling reports “OK” because policies are lax or ignored.

Impact:
– Repeated issues: public buckets, open security groups, default policies that are over-permissive.

Example (real pattern):
– Team repeatedly fixed “public S3 bucket” tickets manually.
– Root cause: a Terraform module with acl = "public-read" checked into a shared repo a year earlier.

Anti-pattern signs:
– Same misconfigurations reappearing.
– “Exceptions” granted forever.

Failure mode 4: Trusting the CI/CD black box

Pattern:
– CI system has:
– Broad credentials to deploy anywhere.
– Third-party plugins, unreviewed scripts, or shared runners.

Impact:
– Build or deployment environment becomes the central compromise point.

Example (pattern):
– A “helpful” pipeline step downloaded a shell script from an internal HTTP endpoint.
– That endpoint was compromised and used to inject malicious commands into every build.

Anti-pattern signs:
curl | bash-style steps in pipelines.
– Shared runners that both untrusted PRs and production builds use.

Failure mode 5: Incident response as theater

Pattern:
– There’s a PDF playbook, but:
– Nobody has practiced it.
– It requires 3 teams and a VP to approve a firewall rule.

Impact:
– During a real incident, teams:
– Hesitate to revoke tokens or suspend services.
– Fight over ownership and blast radius estimates.

Anti-pattern signs:
– No drills.
– No post-incident action items that change infra or process.

Practical playbook (what to do in the next 7 days)

You won’t “fix security” in a week. You can establish direction and expose hidden risk.

Day 1–2: Inventory the graphs at low resolution

  1. Identity

    • Export:
      • All roles/groups with admin or wildcard privileges.
      • All non-human identities (service accounts, CI users, bots).
    • Ask: which of these could, directly or indirectly, write to production or read sensitive data?

  2. Secrets

    • Grep / scan repos and CI configs for:
      • Obvious secrets (keys, tokens, passwords).
      • Hard-coded connection strings.
    • List:
      • All secret stores in use (Vault, cloud KMS/SM, CI var store, env files).

  3. Infra

    • Identify:
      • All internet-exposed endpoints (load balancers, API gateways, public IPs, public buckets).
    • For each, note:
      • Auth method.
      • Downstream systems they can touch.

  4. Supply chain

    • Trace:
      • How code gets from main to production for one critical service.
    • Note:
      • CI system, runners, build steps, artifact storage, deployment mechanism.

  5. Response

    • Pick one plausible scenario:
      • “Compromised CI token” or “compromised DB credential.”
    • Ask:
      • Who decides what to do?
      • What exact actions would you take, and in what system?

Day 3–4: Define one secure-by-design pattern per area

You don’t need a 50-page strategy; you need one good pattern each.

  1. Identity pattern

    • Example:
      • “CI deploy role is write-only to artifact registry and has least-privilege deploy permissions; it cannot read production data.”

  2. Secrets pattern

    • Example:
      • “All app-to-DB credentials come from a secret manager at startup; no secrets in IaC or container images.”

  3. Infra pattern

    • Example:
      • “Default security groups are deny-all; all internet ingress goes through a single edge with enforced auth and rate limiting.”

  4. Supply chain pattern

    • Example:
      • “Production builds run only on dedicated runners; all artifacts are signed, and only signed images can be deployed.”

  5. Response pattern

    • Example:
      • “We have a script/runbook to rotate CI deploy keys and invalidate active sessions within 15 minutes.”

Write these in one page of plain language and get buy-in from one senior engineer per platform area.

Day 5–7: Cut the top 3 risks and run one drill

  1. Tackle three highest-impact, low-debate changes

    • Examples:
      • Remove admin permissions from CI roles; create scoped roles.
      • Disable public access on obviously-internal buckets.
      • Move one high-risk secret from CI vars to a proper secrets manager with a rotation plan.

  2. Run a 1-hour response drill

    • Pick the scenario you outlined earlier.
    • Simulate:
      • Discovery.
      • Decision-making.
      • Concrete actions (in staging or via dry-run).
    • Capture:
      • Where you were blocked (permissions, scripts, missing telemetry).
      • Which systems need better APIs or automation.

  3. Document the deltas

    • End the week with:
      • A before/after view of identity, secrets, infra, supply chain, and IR for one critical path.
      • A short list of “next 3 design changes” you’ll tackle next sprint.

Bottom line

  • Cybersecurity by design is not a tool category; it’s a way of constraining your architecture so that:
    • Insecure defaults are impossible or expensive.
    • Secure behavior is automatic or cheap.

If you can’t answer, in minutes and with code:

  • Who/what can access your crown jewels?
  • Where your high-value secrets live and how to rotate them?
  • How an attacker could move from CI or a single service into production data?
  • How you’d isolate and recover from a specific compromise?

—you’re running on accidental security.

Design the five graphs on purpose, and your security posture stops being “whatever emerged from tickets” and becomes an actual system you can reason about, change, and trust.

Similar Posts