Securing Non-Human Identities in CI/CD Pipelines: The Next Major Attack Vector
Diva Bala Subramanion, Vikas
BSides Seattle 2026 · Day 1 · Track 1
Diva Bala Subramanion (Diva/Divs), a cybersecurity leader at Southwest Airlines specializing in identity and access management, and her co-presenter Vikas deliver a comprehensive beginner-friendly session on securing non-human identities (NHIs) in CI/CD pipelines. The talk covers foundational DevOps and CI/CD concepts, deep-dives into the **Shy Hulk** npm supply chain attacks of September and November 2025, and presents a four-layer defense framework covering discovery, secret elimination, least privilege, and governance.
AI review
A comprehensive beginner-friendly walkthrough of non-human identity risks in CI/CD pipelines, anchored by a solid deep-dive into the Shy Hulk npm supply chain attacks. The attack chain analysis is genuinely useful, showing how a single leaked PAT cascades into worm-like propagation across thousands of repos. The defense framework is sound but not novel. The first 20 minutes of DevOps history and restaurant analogies eat into time that could have gone to deeper technical content.