It’s been an exciting ride in cybersecurity for me the last few years. I am grateful to everyone who has been part of that journey, especially my team at CloudKnox as we navigated a successful acquisition by Microsoft in 2021, and then my brief but meaningful time spent at Microsoft focused on CIEM. Since mid-2022, I have been laser-focused on a new path, building something new with a standout team of innovators. Today, I’m eager to share a glimpse into my latest venture, currently in stealth.
Allow me to set the stage. As an industry, we’ve witnessed an unprecedented surge in cyber-attacks against software supply chains, recording twice as many incidents in 2023 as the combined total from 2019-2022. This daunting statistic underscores a dire need to rethink the ways we secure and govern each phase of the Software Development Lifecycle (SDLC).
There’s a commonly held belief that, if you can protect code and tools, you can protect the company from supply chain attacks. But this approach neglects the riskiest attack vector facing the SDLC: identity. With a deep background in CIEM, I can confidently say that human and machine identities are a fundamental gap for our industry. Therefore, while acknowledging code and development tools as foundational elements, it is essential to highlight developer identities and machines as the critical components that complete the security trifecta within the SDLC.
Introducing BlueFlag Security, an SDLC security and governance platform offering a multi-layered defense strategy that safeguards developer identities and their tools, spanning from code to production. I firmly believe that our identity-centric approach is more than just a strategy—it’s a philosophy.
Why did we choose the name “BlueFlag Security?”
“BlueFlag” carries a deep significance that mirrors the ethos of our company. Coming from a self-declared “beach bum,” the iconic blue flag is one of the world’s most recognized voluntary awards for beaches, marinas, and boats, representing a pristine and sustainable environment for all inhabitants. This, along with the military connotation of securing a beach and waving a blue flag to declare its safety, parallels our commitment to creating a secure and clean software development environment. The name BlueFlag is more than a label—it's our pledge to maintain vigilance, integrity, and excellence in everything we do.
At BlueFlag Security, our goal is to transform the software development process by implementing robust identity intelligence-based security protocols throughout the SDLC to identify, prioritize, and remediate vulnerabilities and threats before they become major breaches. Our mission is to deliver a comprehensive and ubiquitous security and governance platform that offers continuous risk management and compliance, ensuring that each development stage is efficient and secure and provides developers with a clean, trustworthy environment.
Integrating SDLC Security and Governance with BlueFlag Security
In the SDLC realm, governance and security are often seen through different lenses. Security practitioners view governance as a means to mitigate risks, while compliance officers focus on governance as evidence of security and regulatory adherence. For engineering teams, it reflects both the product’s security and the development process's efficiency.
BlueFlag Security harmonizes these perspectives, offering a platform that caters to the needs of security, governance, and compliance professionals. We see SDLC governance as encompassing the entire software development lifecycle, integrating aspects like CI/CD, Open-Source Software (OSS) governance, identity governance, and continuous compliance into a unified approach.
The Overlooked Attack Vector in SDLC Security and Governance: Identity
The escalation of attacks targeting identities underscores a critical vulnerability within the SDLC. Poorly managed identities, both human and non-human (i.e., service accounts and applications), have led to significant security breaches, as seen with LastPass and Okta. These incidents demonstrate that without stringent identity governance, attackers can easily exploit stolen identities to access the SDLC, inserting malicious code or exfiltrating data. Implementing an identity-centric approach not only enhances the security of developer infrastructure but also strengthens the entire SDLC process against such vulnerabilities, providing robust protection against identity-based threats.
What does the future hold for BlueFlag Security?
Traditionally, the cybersecurity community has championed Application Security Posture Management (ASPM) as the quintessential framework for securing the SDLC. While ASPM does unify some aspects of security for developers, it offers an outdated perspective by not fully addressing the most significant risk and attack vector: identity.
The tendency to overlook identity as the foundation of software-related attacks is not new, largely due to the complexity involved in effectively managing it. However, recognizing this gap is just the beginning. We need to prioritize identity security by seamlessly combining it with code scanning and posture management practices. This approach will ensure a holistic security perspective throughout the entire development lifecycle.
Our commitment is to relentlessly refine and advance our security practices, staying one step ahead of emerging threats. This ensures that your development processes remain secure, pristine, and efficient. Stay tuned for more updates as we approach our launch. I am eager to unveil more about BlueFlag Security's contributions to the industry very soon.
