Your team has pinned every third-party action to an immutable SHA. Runners are GitHub-hosted, ephemeral, isolated. Someone ran zizmor once and filed a ticket. The posture feels done.
On an engagement I worked alongside Olakojo testing a product. Between Ola is one of the best offensive security engineers in this space, and watching him work is a lesson in patience: he does not spray exploits and hope. He reads the app, finds the innocent looking path, and walks in through the front door everyone believed was secure.
A Reddit thread on r/devops stuck with me: someone at a 600-developer org with 2,000 repositories, Okta pushing users via SCIM, was redesigning RBAC and asking whether GitHub teams could realistically be managed with IaC. The replies split fast: Entra groups, access-request tickets, safe-settings, Terraform, and one blunt take: "Don't. Unless you have a full team of Terraform experts."
If you stay in this space long enough, you'll one day face real incident before you retire, pivot, or quietly stop answering pages. Dont let it catch you off guard, compose and face it, haha, its your turn.
Every team generating an SBOM and calling it done is doing the security equivalent of buying a fire extinguisher, putting it in the closet, and never reading the label.
A rabona is not the obvious pass. You wrap your leg behind the standing one, hit the ball at an awkward angle, and somehow the play opens up anyway. VPN vs Zero Trust feels like that at first, same pitch, different move entirely.
Cloud costs at early stage startups rarely spiral because of recklessness.
They spiral because the team was moving fast, the architecture made sense at the time, and nobody had the bandwidth to revisit it.
By the time the bill becomes a problem, the decisions are already baked in.
I have been on both sides of this, burning through it personally, and leading teams trying to unwind it before the runway ran out. Here is what has actually worked.
Cloudflare Workers has become the go-to platform for deploying edge applications. It's easy to deploy, wrangler deploy and you are up.
If you've been following my journey with HashiCorp Vault on EKS, you've seen me talk about automating backups and setting up TLS. But as things scaled, I realized that detached manual processes and terraform/tofu-managed manifests were becoming a major friction point.
If you've been following my content, you know I'm big on IaC security. I've written about encrypting your OpenTofu state files before - because let's be honest, downloading unencrypted terraform state files dangling around has been a goldmine for attackers.