Cider Security Publishes New Research Identifying the Top 10 CI/CD Security Risks


The research was compiled by Cider Security along with experts from Netflix, Atlassian, Mozilla, Lemonade Insurance, Rapid7, Databricks, and the former CISOs of Twitter and LivePerson

[Tel Aviv, Israel – March 16, 2022] – Researchers from Cider Security, the world’s first AppSec Operating System, today published a new research report, “Top 10 CI/CD Security Risks”, detailing the major security risks to the CI/CD (Continuous Integration/Continuous Delivery) ecosystem. 

“CI/CD environments, processes, and systems are the beating heart of any modern software organization. They bring great opportunities and advantages to engineering, but introduce an equal amount of opportunities for adversaries, which are targeting CI/CD as an efficient way to access the crown jewels of every organization – their production environment,” said Daniel Krivelevich, Co-Founder and CTO of Cider Security. “We developed this to help defenders have a better understanding of their evolving attack surface, and spark the much-needed discussion around the relevant preventative measures required to optimize CI/CD security”.

This research report serves as a guide to defenders, helping them identify and minimize CI/CD security risks by providing a breakdown of today’s most prominent attack vector as well as tips for mitigation. It was compiled on the basis of extensive research based on analysis of hundreds of CI/CD environments, discussions with industry experts, and publications of security incidents and security flaws within the CI/CD security domain. 

The risks outlined are: 

CICD-SEC-1: Insufficient Flow Control Mechanisms

CICD-SEC-2: Inadequate Identity and Access Management

CICD-SEC-3: Dependency Chain Abuse

CICD-SEC-4: Poisoned Pipeline Execution (PPE)

CICD-SEC-5: Insufficient PBAC (Pipeline-Based Access Controls)

CICD-SEC-6: Insufficient Credential Hygiene

CICD-SEC-7: Insecure System Configuration

CICD-SEC-8: Ungoverned Usage of 3rd Party Services

CICD-SEC-9: Improper Artifact Integrity Validation

CICD-SEC-10: Insufficient Logging and Visibility

This research report was created in collaboration with global industry experts across multiple verticals and disciplines, including Michael Coates, former CISO at Twitter, Adrian Ludwig, Chief Trust Officer at Atlassian, Astha Singhal, Director of Information Security at Netflix, Jonathan Claudius, Director of Security Assurance at Mozilla, Jonathan Jaffe, CISO at Lemonade Insurance, Ron Peled, Founder & CEO at ProtectOps, Travis McPeak, Head of Product Security at Databricks, Ian Amit, Advisory CSO at Rapid7, and others. 

You can access the full research report here.  

About Cider Security 

Cider Security is a first-of-its-kind AppSec Operating System that provides Security and Engineering teams a single, consistent method to orchestrate and implement end-to-end CI/CD security through a single, unified platform. The company takes a holistic approach to the security of the engineering processes and systems, from code to deployment. It establishes a comprehensive Technical DNA of the engineering environment, giving Security teams the transparency and visibility needed to optimize AppSec and achieve full resilience. Founded in late 2020 by cybersecurity industry veterans, Guy Flechter and Daniel Krivelevich, Cider Security’s mission is to solve the most commonly encountered challenges CISOs and security engineers face today. For more information, visit

Press Contact

Raanan Loew

IL:+972 54 467 6317

US:+1 347 897 9276 

UK:+44 203 769 2689


Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

No posts to display