Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
NHI, AI & IAM Best ...
AppSec across code,...
 
Notifications
Clear all

AppSec across code, pipeline, and runtime: what teams are missing

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 3789
Topic starter 10/06/2026 12:05 am  

TL;DR: Modern application security now spans code, CI/CD, infrastructure, secrets, and runtime behavior, because one control point cannot keep pace with continuously changing software, according to Orca Security. The practical issue is not more findings, but connected visibility that separates reachable risk from noise.

NHIMG editorial — based on content published by Orca Security: Application Security (AppSec) across the full lifecycle

Questions worth separating out

Q: How should security teams handle exposed secrets in modern application environments?

A: Treat exposed secrets as active identity incidents, not just code defects.

Q: Why do modern applications make AppSec and IAM harder to separate?

A: Because the application now carries its own access logic through credentials, service permissions, deployment configuration, and runtime connections.

Q: How do teams prioritise AppSec findings without drowning in alerts?

A: Start with reachability and exploitability in runtime, not with scan volume.

Practitioner guidance

  • Map application access paths end to end Trace where credentials, service accounts, and deployment permissions are created, copied, stored, and consumed across code, CI/CD, and runtime.
  • Separate reachable risk from theoretical findings Use runtime context to distinguish vulnerabilities that sit behind real execution paths from those that appear in scans but are not reachable in production.
  • Search for secrets beyond source code Include commit history, logs, pipeline output, and configuration artefacts in secret discovery.

What's in the full article

Orca Security's full article covers the operational detail this post intentionally leaves for the source:

  • The article expands each AppSec pillar with implementation examples for SAST, SCA, IaC scanning, secrets exposure, and runtime reachability.
  • It outlines how modern SDLC stages change the way teams should think about control placement across development, build, deployment, and production.
  • It includes practical context on AI-generated code, new dependency patterns, and why runtime insight matters when applications change continuously.
  • It explains how Orca positions connected cloud-to-dev visibility across the application lifecycle.

👉 Read Orca Security's analysis of application security across the full lifecycle →

AppSec across code, pipeline, and runtime: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
orca-security application-security secrets-management ci-cd runtime-risk
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  orca-security (61) , application-security (17) , secrets-management (79) , ci-cd (2) , runtime-risk (2) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.