How Hackers Slip Into Pipelines and Stay Undetected: The Quiet Risks Hidden in Your Software Supply Chain

Sohail Iqbal, Chief Information Security Officer at Veracode, spoke with TechNadu about today’s most pressing application-layer threats, and how attackers compromise CI/CD pipelines

Iqbal brings more than two decades of experience, spanning cybersecurity leadership roles at CarGurus, j2 Global, Dow Jones/WSJ, and Quest Diagnostics, among others. He led global security operations, guiding security programs across highly regulated environments and modernizing defenses.

Iqbal explains why privilege escalation inside runtime environments remains difficult to contain and addresses AppSec blind spots. This interaction brings forth details about developer-level compromises, the reliability of detection signals and more.

Vishwa: What are the top three application-layer attack vectors you see today? What makes them more vulnerable?

Sohail: The top three application-layer attack vectors today are: 

• Known vulnerabilities in open-source components, where a continuous stream of newly discovered issues requires teams to constantly monitor and patch dependencies even when their own code hasn’t changed; 
• Flaws in authentication, access control, and authorization that allow attackers to impersonate users or escalate privileges; and 
• Supply-chain namespace attacks (like repojacking, dependency confusion, and similar tricks) that exploit the implicit trust teams place in third-party package namespaces and registries—these are less common than simple OSS bugs but equally dangerous because a malicious change upstream or a hijacked package can compromise builds and runtime behavior without any modifications to your application or build scripts.

Vishwa: Can you describe, step by step, how attackers compromise a CI/CD pipeline from code commit to production breach?

Sohail: Attackers compromise a CI/CD pipeline from code by targeting developer access through phishing, workstations, embedded secrets in published artifacts, and similar attack methods. 

From this foothold, an attacker may attempt to push changes to source code or published artifacts, causing malicious or vulnerable code to move through the CI/CD process and ultimately reach production.

Vishwa: What techniques do attackers use to escalate privileges once inside an application runtime?

Sohail: Once inside an application runtime, attackers often escalate privileges by exfiltrating credentials and other secrets to expand their presence. They also probe for other services that would not otherwise be accessible so they can move laterally; re-using tokens, API keys, and session cookies to impersonate legitimate components or users, exploit misconfigured applications with authorization flaws to gain higher privileges, and weaponize scheduled tasks and cron jobs to maintain persistence or carry out privileged actions.

Vishwa: How do you validate that an AppSec program has actually reduced attacker success rather than just scanning more?

Sohail: By conducting regular penetration tests, threat hunting, and red teaming exercises that simulate real-world attacker scenarios, AppSec programs significantly reduce attacker success rates. These programs track meaningful metrics, such as the burn rate of critical issues and the size of the vulnerability backlog, providing a more accurate measure of security effectiveness compared to traditional scanning methods. 

These proactive methods also reduce the average time to remediation and shorten attacker dwell time by validating fixes and enhancing detection and response capabilities.

Vishwa: In your experience, what are the most difficult attacks to contain and why?

Sohail: In my experience, the most difficult attacks to contain are those involving third-party dependencies. This includes end-of-life systems with no active support, third-party code or components where transparency is limited, and human oversight due to a lack of diligence in their actions. 

While automation is essential in reducing attacker success, human oversight remains a vital part.

Vishwa: How do you see telemetry from build pipelines and application runtime evolving to improve early attack detection in the future?

Sohail: Secure-by-design elements significantly reduce the likelihood of successful attacks. Proper controls within applications, such as input validation, role-based access, and built-in encryption, greatly decrease the chances of attacks succeeding or triggering detectable security signals. 

When applications and pipelines incorporate these controls, they not only reduce risk but also generate more detailed and reliable signals for security teams, enabling faster incident detection. Improved logging and signal correlation help identify anomalies quickly, while user and application behavior analysis assist in spotting malicious patterns.

Vishwa: How do you measure the gap between your detection capabilities and attacker dwell time?

Sohail: It all comes down to transforming your telemetry and actions from ad hoc or point-in-time assessments to continuous and automated programs. Detection controls need to be based on ongoing visibility, correlation of signals, automated triage, and threat hunting—the more gaps or manual steps in the process, the longer it takes to detect an attack.