vc.
GitHubLinkedIn

I am a designer, engineer, and founder living in Vancouver, Canada. I was involved in 0-1 founding roles of several companies, including TetraScience, Webacy, and SpaceList

Today I am focused on building Capy, a secrets management platform so painless to use, you forget secrets are even something you need to worry about.

The biggest problem in security is lack of good Design
May 19, 2026
Why I'm building a SaaS company during the SaaSpocalypse.
March 24, 2026
vincent chan.The biggest problem in security is lack of good Design
Back

The biggest problem in security is lack of good Design

Today CISA, the US government's top cybersecurity agency, leaked their secrets on GitHub.1

The question everyone should be asking is how those secrets got there in the first place.

My answer? It's a UX problem. Specifically a DX one (DX = Developer Experience, which I consider a subset of UX)

The reason why any team chooses to commit secrets, encrypted or not, to source control is because it's easy and feels secure. Many teams or individuals who use source control consider it a control plane for everything code related, whether it is deployments, bug/issue tracking, and in this unforutnate case, sharing credentials. GitHub has an auth layer, so it FEELS secure, and many teams mistakenly think that is sufficient, particularly when nothing in their security checklist tells them it's unsafe. I don't blame these teams. It takes some time to truly understand things like authorization, least-privileged access, encryption, etc. and the world moves too fast to truly dig into such dense topics. The solution, however, is not more education, or more controls.

This leak proved that with even the strictest controls and audits, organizations are not immune to bad Secrets practices. While CISOs can mandate defence-at-depth strategies to complying employees, security is often more of a burden and an annoying checklist item to implement (MFA, rotations, etc.).

Rigid guidelines are insufficient in leak-proofing an ever evolving technology and personnel landscape. As both change tremendously in the new age of LLMs, it is imperative that security be made more approachable, and almost second-nature.

This is exactly the reason I chose to build Capy. I wanted to strike at the heart of this problem by making good SecretOps so SIMPLE it's invisible. The only away to achieve this is through better design.

Footnotes

  1. Gizmodo — U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub (2026). On CISA accidentally committing credentials and sensitive configuration to a public GitHub repository.