Beyond the Green Checkmark: Security IN and OF Your CI Pipeline - Derek Fisher
Disobey 2026 · Main Stage
In his Disobey talk, "Beyond the Green Checkmark: Security IN and OF Your CI Pipeline," Derek Fisher dissects the critical, yet often misunderstood, role of security within the Continuous Integration/Continuous Delivery (CI/CD) pipeline. Fisher, a professor at Temple University and founder of Securely Built, argues that many organizations fall into the trap of "security theater" – implementing numerous scanning tools that generate a flood of low-value alerts without truly enhancing their security posture. The core message is a dual imperative: securing the *code itself* (security *in* the pipeline) and securing the *pipeline infrastructure* (security *of* the pipeline) against sophisticated attacks.
AI review
Fisher covers the CI/CD security landscape competently — diff-aware scanning, ephemeral runners, OIDC, SALSA, PPE attack patterns — and the dual framing of security 'in' vs 'of' the pipeline is a clean organizing principle. Nothing here is wrong, but almost nothing here is new to anyone who's been paying attention to supply chain security since SolarWinds and the GitHub Actions poisoning research.