* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Application Security](https://www2.paloaltonetworks.com/blog/category/application-security/)
* AppSec for the Modern Eng...

# AppSec for the Modern Engineering Ecosystem

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fappsec-engineering-ecosystem%2F)  
[](https://twitter.com/share?text=AppSec+for+the+Modern+Engineering+Ecosystem&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fappsec-engineering-ecosystem%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fappsec-engineering-ecosystem%2F&title=AppSec+for+the+Modern+Engineering+Ecosystem&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/appsec-engineering-ecosystem/&ts=markdown)  
\[\](mailto:?subject=AppSec for the Modern Engineering Ecosystem)  
Link copied  
By [Daniel Krivelevich](https://www.paloaltonetworks.com/blog/author/daniel-krivelevich/?ts=markdown "Posts by Daniel Krivelevich")  
May 18, 2023  
4 minutes  
[Application Security](https://www.paloaltonetworks.com/blog/category/application-security/?ts=markdown)  
[CI/CD](https://www.paloaltonetworks.com/blog/cloud-security/category/ci-cd/?ts=markdown)  
[AppSec](https://www.paloaltonetworks.com/blog/tag/appsec/?ts=markdown)

*As engineering becomes a driving force, how must AppSec evolve?*

Software engineering is changing, [becoming a driving force](https://start.paloaltonetworks.com/rs/531-OCS-018/images/3.2%20FINAL%20The%20State%20of%20Cloud%20Native%20Security%20Report%202023_3-2.pdf) in business and bringing about big changes in how application security ([AppSec](https://www.paloaltonetworks.com/cyberpedia/appsec-application-security)) is approached. Complexity is gaining the upper hand, with more development languages, and new types of code security issues --- such as vulnerabilities in open-source code components --- making it even harder for AppSec to provide an overarching security umbrella for the engineering ecosystem.

Let's take a look at what this paradigm shift means for the security professionals responsible for keeping applications safe.

## Engineering Is Undergoing a Paradigm Shift

Digital business is pushing software engineering to the forefront, bringing on a rapid evolution of the modern engineering ecosystem, which can be characterized by three main elements:

### **Wide, Highly Dynamic Landscape of Technologies and Frameworks**

Imported code libraries, third-party systems, and plugins have enabled engineers to build apps faster and enhance the overall quality of the software that's delivered. But they also introduce a new level of complexity that perpetuates an ever-changing ecosystem of disparate point solutions, frameworks and systems.

### **Everything Is Codified**

Historically, [software development was just about application code](https://www.paloaltonetworks.com/blog/prisma-cloud/application-infrastructure-security-101-blurring-cloud-native-app-layers/), but the lines are now blurred. Everything is codified today, with formerly manual practices, such as policy management and infrastructure provisioning, being transformed into the automated practices of [infrastructure as code (IaC)](https://www.paloaltonetworks.com/cyberpedia/what-is-iac) and [policy as code](https://www.paloaltonetworks.com/cyberpedia/what-is-policy-as-code), which allows teams to rapidly scale in the cloud and reduce the potential for mistakes due to human error.

### **The Need for Speed and Agility Is Driving the Use of Automation**

The technical barrier for the adoption of engineering technologies, such as [Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes), Salt, and Ansible, has diminished. This, combined with the need for increased speed, drives automation and enables organizations of all sizes to accelerate engineering practices and deliver greater customer value.

## Increased Complexity Challenges Traditional AppSec

The traditional AppSec challenge --- natively embedding secure development practices to prevent security flaws from getting into production --- is now more complicated because of the changes taking place in engineering. Culprits for this include:

* The sheer number of development languages, frameworks and technologies used by organizations as cloud native methodologies mature.
* The ease of adopting new technologies, which makes the landscape of languages and frameworks highly dynamic.
* The freedom engineers have to choose engineering technologies and frameworks (a new language/framework can be adopted and productionized within minutes, without any security boundary or need for approval).
* The number of different types of [code security](https://www.paloaltonetworks.com/cyberpedia/what-is-code-security) issues --- such as misconfigurations in IaC files, vulnerabilities in open-source software, and secrets hardcoded in source code --- with each language and framework potentially requiring a dedicated solution to effectively detect flaws at an effective signal-to-noise ratio.

## New Risks Require a New Focus in AppSec

In recent years, we've seen a shift in how attackers infiltrate cloud production environments. From SolarWinds, CodeCov, Travis-CI and CircleCI, it's clear that bad actors recognize the effectiveness of abusing the [CI/CD pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security). Targeting IaC misconfigurations, vulnerabilities in open-source code components, and exposed credentials, they've become proficient in exfiltrating confidential data and running malicious code in production environments.

This attack vector underscores the need to deliver comprehensive visibility and observability across the application lifecycle to optimize security posture against all existing and new risk surfaces.

## Four Guiding Principles for Securing the Engineering Ecosystem

As organizations recognize the importance of engineering to business success, the need for speed and agility becomes paramount. As a result, security must shift from the role of blocker to the role of facilitator. To do this, though, security must provide value on four fronts:

1. **Speed**: It's no longer acceptable for security organizations to restrict the speed of progress with their processes. In the cloud, engineering drives timelines, not the other way around. Security controls and measures must move at the speed of engineering.
2. **Integrability**: To ensure speed, security controls and solutions must be integrated seamlessly into the day-to-day engineering ecosystem, becoming part of the development process.
3. **Enablement**: Security doesn't have the mandate to restrict usage of specific technologies or frameworks. It must support engineers by enabling their use of whichever technologies and integrations suit their needs.
4. \*\*Focus:\*\*To enable fast-moving engineering teams, an effective signal-to-noise ratio must be in place. Unexploitable risks, or risks that don't pose high impact threats to the business, must be redacted. AppSec must be armed with highly contextualized risk insights into critical vulnerabilities.

## Learn More

Check out our [Application Security Practitioner's Guide.](https://www.paloaltonetworks.com/cyberpedia/application-security)

*** ** * ** ***

## Related Blogs

### [Application Security](https://www.paloaltonetworks.com/blog/category/application-security/?ts=markdown), [CI/CD](https://www.paloaltonetworks.com/blog/cloud-security/category/ci-cd/?ts=markdown)

[#### All the Small Things: Azure CLI Leakage and Problematic Usage Patterns](https://www2.paloaltonetworks.com/blog/cloud-security/secrets-leakage-user-error-azure-cli/)

### [CI/CD](https://www.paloaltonetworks.com/blog/cloud-security/category/ci-cd/?ts=markdown), [DevOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devops/?ts=markdown)

[#### Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows](https://www2.paloaltonetworks.com/blog/cloud-security/unpinnable-actions-github-security/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### The Next Wave of Cybersecurity](https://www2.paloaltonetworks.com/blog/2025/06/next-wave-cybersecurity/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [CI/CD](https://www.paloaltonetworks.com/blog/cloud-security/category/ci-cd/?ts=markdown)

[#### GigaOm Names Prisma Cloud a Leader in Software Supply Chain Security](https://www2.paloaltonetworks.com/blog/cloud-security/gigaom-software-supply-chain-security-market-guide/)

### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

[#### Security Theater: Your AppSec Success Metrics Are Misleading](https://www2.paloaltonetworks.com/blog/cloud-security/sucess-measurements-security-theater/)

### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [CI/CD](https://www.paloaltonetworks.com/blog/cloud-security/category/ci-cd/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/category/research/?ts=markdown)

[#### ArtiPACKED: Hacking Giants Through a Race Condition in Github Actions Artifacts](https://www2.paloaltonetworks.com/blog/cloud-security/github-repo-artifacts-leak-tokens/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language