Johannesburg, 24 Feb 2026
South African organisations are building more software than ever before. What many of them are not doing is securing the identities and pipelines that build it.
Obsidian Systems has announced a strategic reseller and implementation partnership with BlueFlag Security, an identity-first software development lifecycle (SDLC) security company headquartered in Sunnyvale, California.
Under the agreement, Obsidian becomes BlueFlag’s exclusive in-country reseller and implementation partner, bringing the platform to enterprise and public sector customers across South Africa.
The focus is on protecting developer identities, machine accounts, and toolchains in modern software environments.
For years, security programmes have concentrated on endpoints, networks, and business applications. Meanwhile, development environments have expanded quietly. Developers push code to cloud repositories. CI/CD pipelines automate builds and deployments. Service accounts and API keys multiply. Access tokens linger long after projects end.
Attackers have noticed.
High-profile supply chain incidents such as SolarWinds and the XZ Utils backdoor have demonstrated that breaching the development process can have far-reaching consequences.
A compromised identity inside a build pipeline can introduce vulnerabilities into software that ultimately reaches thousands or millions of users.
“South African organisations are investing heavily in development capability, which is exactly what the economy needs,” says Muggie van Staden, CEO of Obsidian Systems. “But the security conversation has not kept pace. We secure production systems rigorously, yet we often overlook the identities and automation that produce the code in the first place.”
BlueFlag’s platform is built around what it calls an identity-first approach to SDLC security. Instead of treating developer tools as peripheral systems, it places identity governance at the centre of the development process.
The platform continuously monitors human and machine identities across repositories, CI/CD platforms, and related tooling, looking for over-permissioned accounts, dormant credentials, token sprawl, and misconfigurations that create lateral movement opportunities.
A distinguishing feature of the platform is its AI-driven identity intelligence layer. Rather than simply generating alerts, the system builds behavioural context around developers and automated agents, identifying material deviations and reducing the noise that often overwhelms security teams.
In modern DevOps environments, machine identities frequently outnumber human users by a significant margin. Service accounts, bots, and pipeline tokens often operate with broad permissions and limited oversight.
BlueFlag provides consolidated visibility across these non-human identities and enforces least-privilege principles across development environments.
For South African organisations facing cybersecurity skills shortages, the automation component is not incidental.
“No security team in this market has the capacity to review every repository, pipeline, and token manually. The value here is not just detection. It is governance at scale. You are extending the reach of your security team without adding headcount,” says van Staden.
Obsidian’s role will include pre-sales advisory, deployment, integration, and ongoing managed services around the BlueFlag platform.
The company intends to position SDLC identity security alongside its existing open-source and enterprise infrastructure offerings, particularly in sectors such as financial services, telecommunications, retail, and government, where internally developed software underpins critical services.
“What stands out in South Africa is the pace at which organisations are building and modernising internally developed systems,” says Raj Mallempati, CEO and Co-founder of BlueFlag Security. “Obsidian understands that environment deeply. Our role is to provide the governance foundation that ensures development growth translates into resilience, not new exposure”
BlueFlag’s platform is available immediately through Obsidian Systems in South Africa. Organisations can engage Obsidian to assess their current SDLC identity posture and to demonstrate the platform in action.
The conversation around software supply chain risk has moved beyond theory. For many enterprises, the next breach will not begin at the firewall. It will begin in a repository.
Share