The engineering ecosystem has undergone a massive paradigm shift \u2013 more languages, more frameworks, and minimal technical or procedural barriers to adopt new technologies or implement third-party tools and frameworks. This comes as organizations are racing to ship software as quickly as possible to deliver new features and cloud applications to remain competitive.\n\nTo speed up development and deployment, many organizations have turned to continuous integration and continuous delivery (CI\/CD) solutions for more automated and agile software testing, building, and deploying processes. This shift has brought unprecedented velocity, flexibility, and agility to engineering with 77% of organizations now deploying new or updated code to production weekly, and 38% committing new code daily.\n\nSpeed is great, but not when it comes at the expense of security. Bad actors are quickly recognizing the engineering ecosystem as a threat vector that is both easy to target and ripe for exploitation \u2013 often ensuing significant and lucrative results. The infamous Solar Winds attack occurred because a build system was exploited, and malware was spread to 18,000 clients. In another recent example, cybercriminals successfully infiltrated and disrupted CircleCI, a leading CI\/CD platform storing highly confidential client secrets and tokens. These incidents underscore how a single unsecure element in an engineering environment can result in detrimental consequences at scale.\n\nThe engineering ecosystem is often overlooked as security teams tend to focus more on reducing runtime misconfigurations and vulnerabilities rather than addressing vulnerabilities across the entire attack surface. This new reality and rising attacks requires us to think differently about application security \u2013 the overarching security umbrella over the engineering ecosystem. The traditional AppSec challenge of preventing security flaws and misconfigurations from reaching production is much more complex. In parallel, there is a completely new breed of risks and threats focused on abusing security flaws in the different systems and processes across the software delivery chain, all the way from code to deployment.\n\nDeveloping the Foundation for an Effective Application Security Program\n\nAn effective application security program for the modern engineering ecosystem can be broken down into three disciplines:\n\nSIP targets the code and artifacts flowing through the pipeline, en route to production, and aims to prevent security flaws and misconfigurations from reaching production environments. In SIP, we are required to continuously identify all development languages and frameworks in use across an organization\u2019s entire codebase and ensure we have the appropriate scanners and engines bespoke to those languages and framework woven into the development process in the most frictionless way possible. This ensures new issues aren\u2019t introduced into the codebase, and that existing issues are gradually eradicated.\n\nSOP focuses on the security posture of each and every individual system within the software delivery chain \u2013 from code to deployment \u2013 as well as the interconnectivity between these systems and the third parties they use (the software supply chain). SOP is based on the understanding that the engineering ecosystem has become a lucrative target for adversaries, who have realized that engineering ecosystems provide a highly effective way to execute malicious code in sensitive environments, and gain access to highly critical secrets and tokens. In SOP, rather than focusing on the code and artifacts flowing through the software delivery chain, as we do in SIP, the focus is on the security controls and measures around the delivery chain itself.\n\nSAP is designed to ensure the integrity of the software delivery chain and apply the appropriate controls to prevent anyone, both humans and applications, from bypassing it. The reality is that achieving optimal SIP and SOP is only partially effective if an attacker can push code directly to production or deploy a malicious container directly to K8s. To achieve effective SAP, we must be able to answer 2 main questions:\n\nEffective application security now extends far beyond the traditional scope of code scanning and must reflect the modern engineering environment. SIP, SOP, and SAP center around supporting the speed of engineering without compromising on risk and security management. By focusing on these three disciplines, organizations can guide their security and developer teams to build modern, secure, and scalable engineering ecosystems in the cloud.\n\nLearn about the top 10 CI\/CD security risks and what practical actions you can take to secure the engineering ecosystem.\n\nDaniel Krivelevich is a cybersecurity expert and problem solver, enterprise security veteran with a strong orientation to application & cloud security. After an extensive service in Israel's Unit 8200, Daniel held multiple positions in the AppSec domain spanning across offensive, defensive and consulting positions. After having led Application Security and Cloud Security with Israeli IR firm Sygnia for four years, working with 100+ enterprises on optimizing Cyber resilience, Daniel co-founded Cider Security as the company\u2019s CTO, leading the company\u2019s product and technology all the way from inception to acquisition by Palo Alto Networks. Today, Daniel serves as CTO of AppSec for Palo Alto Networks.