Home

Published

- 9 min read

Stop Chasing Developers

By William OGOU
Platform Engineering DevSecOps Cloud Security CISO Secure by Default Software Supply Chain Internal Developer Platform
img of Stop Chasing Developers

For years, DevSecOps was hailed as the answer to cloud security. The idea was appealing: embed security into every dev team, “shift left,” and make security part of the development process. So, we invested—in tools, training, and people.

But the results have been disappointing. We’re burned out, constantly chasing issues across pipelines, and security remains fragmented and inconsistent. Developers are overwhelmed, and security teams have become blockers instead of enablers.

This model isn’t working. It doesn’t scale, it creates tension, and it’s failing the business. Instead of chasing developers, it’s time to give them a secure, frictionless path to production—built and maintained through Platform Engineering.

The Flawed Dream: Why the Embedded DevSecOps Model Fails at Scale

The intention behind the traditional “embedded” DevSecOps model was noble, but it was built on a set of flawed assumptions that have crumbled under the weight of modern cloud-native development.

  • The Scalability Illusion: The math simply doesn’t work. In a large organization with hundreds of agile teams, you cannot hire enough security engineers to embed one in every squad. This leaves most teams operating with minimal to no direct security guidance, creating vast pockets of unmanaged risk.
  • The Inconsistency Nightmare: When security is decentralized, it becomes inconsistent. Each team, left to its own devices, adopts different tools, interprets policies differently, and develops its own “tribal knowledge.” The result is a patchwork of security controls that is impossible for a central team to govern or even understand. As the SANS Institute’s practitioner-focused research often highlights, this lack of standardization is a breeding ground for systemic weaknesses.
  • The Crushing Cognitive Load: We are asking developers to be experts in their programming language, their cloud provider’s services, their CI/CD tooling, and the nuances of a dozen different security scanners and frameworks. This is an unrealistic and unsustainable expectation. As thought leaders like Anton Chuvakin have argued, security should be an abstracted service, not another complex domain that developers must master.
  • The Tool Sprawl Catastrophe: In the absence of a centralized platform, teams will procure their own solutions for SAST, DAST, SCA, container scanning, and more. This leads to an explosion of tools, each with its own licensing costs, data silos, and alert formats, making it impossible for the SOC to get a clear, correlated picture of risk.

The Paradigm Shift: From Gatekeeper to City Planner with Platform Engineering

Platform Engineering proposes a new model. Instead of asking every developer to become an off-road expert, you build a safe, efficient and ready to production. This internal developer platform provides a curated set of tools, services, and guardrails that make the secure path the easiest and most attractive path.

The security team’s role transforms from being the tollbooth operator on hundreds of different dirt tracks to being the chief architect of this secure superhighway. This approach doesn’t take away developer autonomy; it provides them with the freedom to innovate within a secure and reliable framework, enabling velocity through security, not in spite of it.

Blueprint

Building a secure internal developer platform is a strategic initiative, not a single project. It requires a holistic view that integrates infrastructure, the software supply chain, and runtime operations. This is the new playbook for modern cloud threat detection and prevention.

Pillar 1: Secure-by-Default Infrastructure – The Foundation of the Road

The road must be built on solid ground. This means providing developers with a secure-by-default cloud environment, abstracted away from the complexities of low-level configuration.

  • Secure Landing Zones as a Service: The platform team should offer pre-configured, hardened cloud environments using Infrastructure as Code (IaC). This includes secure VPC designs, strict network segmentation, and IAM policies that follow the principle of least privilege, as outlined in Google Cloud’s Well-Architected Framework.
  • Preventative Guardrails with Policy-as-Code: Use tools like Google’s Organization Policies to enforce broad, non-negotiable security rules at the highest level (e.g., block the creation of public IP addresses, disable service account key creation). This removes entire classes of risk before a developer even starts a project.
  • Abstracted Networking and Identity: Developers shouldn’t have to be network engineers. The platform should provide secure, pre-configured connectivity patterns and IAM roles for common use cases, drastically reducing the risk of misconfiguration.

Pillar 2: The Secure Software Supply Chain Factory

This is where you stop chasing developers about vulnerable dependencies and hardcoded secrets. You build a factory that produces secure software artifacts by default.

  • Centralized, Hardened Base Images: Provide a curated registry of “golden” base images for containers and VMs. These images should be minimal, hardened, and continuously scanned for vulnerabilities, as advocated by security leaders like Sysdig.
  • The “Shift-Left” CI/CD Pipeline: The core of the paved road is a standardized, reusable CI/CD pipeline template that has security baked in. This “secure-by-default” pipeline automatically includes:
    • Software Composition Analysis (SCA): To detect and block the use of vulnerable open-source libraries.
    • Static Application Security Testing (SAST): To find vulnerabilities in the application code itself.
    • Secrets Scanning: To prevent API keys and other credentials from ever making it into a code repository.
    • Container Scanning: To ensure the final container image is free of known vulnerabilities before being pushed to a registry.
  • Secrets Management as a Service: Instead of letting developers manage secrets in environment variables or config files, the platform should provide a seamless integration with a centralized secrets manager like HashiCorp Vault or a cloud provider’s native solution.

Pillar 3: The Cloud-Native Security Operations Hub

The paved road must be continuously monitored by a modern SOC that understands the cloud.

  • From SIEM to a Unified Context Graph: The platform should feed high-fidelity telemetry into a modern detection platform, not a traditional SIEM. As platforms like Wiz have demonstrated, the key is a unified context graph that connects runtime events to the workloads, identities, data, and vulnerabilities that define their risk. This allows the SOC to see the full attack path, not just isolated, noisy alerts.
  • Real-Time Runtime Security: The platform must provide runtime protection. This means deploying agents powered by technologies like eBPF (the foundation of CNCF projects like Falco and Cilium) to monitor workload behavior in real-time. This is the only way to detect a threat that bypasses static scanning and executes within a running container.
  • Automated Feedback Loops: The platform should create a closed-loop system. When a runtime threat is detected in production, the system should automatically trace it back to the vulnerable library or code, open a ticket for the development team, and provide clear remediation guidance.

The Impact: A New Operating Model for Security

Adopting a platform engineering approach fundamentally changes the dynamic between security and the rest of the organization.

  • For Developers: Friction is replaced with flow. They are empowered to build and ship quickly, confident that the platform is providing a secure foundation. Their cognitive load is reduced, allowing them to focus on creating business value.
  • For the Security Team: The team evolves from a reactive, ticket-driven cost center to a proactive, strategic enabler. They spend less time on repetitive code reviews and vulnerability triage, and more time on high-impact activities like threat hunting, architecting new security services for the platform, and advising the business on emerging risks.
  • For the CISO and the Business: This model provides what every CISO is ultimately tasked with delivering: scalable, consistent, and measurable risk reduction. It allows the business to innovate at speed without accumulating massive security debt. It transforms security from a blocker into a competitive advantage.

Getting Started on Your Paved Road Journey

This transformation won’t happen overnight, but you can start today.

  • Form a Coalition: Create a cross-functional team with members from platform engineering, development, and security to champion this new model.
  • Identify the Biggest Potholes: Conduct interviews with developers. Where is the most friction? What security tasks are slowing them down the most? This will help you prioritize the first components of your paved road.
  • Build Your First Stretch of Highway: Don’t try to build the entire platform at once. Start with a high-impact, high-visibility project. A “golden” CI/CD pipeline template that includes automated SAST and SCA scanning is often a great place to start.
  • Market and Measure: Treat your platform as a product. Market it internally to development teams, highlighting the benefits of speed and reduced friction. Measure adoption rates and track the reduction in vulnerabilities found in production to demonstrate a clear return on investment.

Conclusion

For too long, security leaders have been forced to act like police chiefs, chasing down individual violations across a chaotic landscape. Platform engineering allows us to become city planners. We can design a modern, efficient, and secure metropolis where developers have the freedom to build amazing things, knowing that the infrastructure, the supply chains, and the emergency services are all designed to keep them safe by default.

It’s time to stop chasing developers. It’s time to build the road.

To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected].

Secure Platform Engineering FAQ:

  • Does Platform Engineering mean taking away developer choice? Not at all. A well-designed platform provides a “paved road” of curated, secure tools, but it should also allow for “dirt paths” or exceptions when necessary. The goal is to make the secure and compliant path the path of least resistance, so developers choose it because it’s the easiest and fastest way to get to production.
  • How is this different from a traditional “shared services” model? While there are similarities, platform engineering is product-centric. The platform is treated as an internal product with developers as its customers. The focus is on providing a seamless, self-service developer experience, not just a collection of siloed tools that teams are forced to use.
  • What is the most critical first step in building a secure developer platform? The most critical first step is cultural: getting buy-in from both development and security leadership. Technologically, building a secure, reusable CI/CD pipeline template with integrated security scanning (SCA, SAST) is often the highest-impact starting point.
  • How does this model change the role of a security engineer? The role shifts from being a “code cop” who reviews pull requests and flags vulnerabilities to being a “platform architect” who builds and maintains the secure services, guardrails, and automated checks that are consumed by all development teams. It’s a more scalable and strategic role.
  • What is the relationship between a Platform Engineering approach and a modern SOC? They are two sides of the same coin. The secure platform provides high-fidelity, context-rich telemetry (e.g., from runtime sensors and the unified cloud asset graph) to the SOC. This allows the SOC to move away from chasing low-context, noisy alerts from a traditional SIEM and focus on detecting and responding to complex, real-world threats that target the cloud-native environment.