Does continuous integration and continuous deployment (CI/CD) weaken an organization’s security posture?
Sort by:
Ultimately, everything has to shift left. Everybody has to be hyper-aware and have tools in their integrated development environment (IDE) when they're coding, compiling, testing and when they're pushing to whatever repository—then do that again and again. InfoSec security has to be at the beginning of every project, not at the middle, not at the end.
Compliance and legal can be discussed later but when you're looking at the CI/CD process, you really have to lock it down and you need that verification. You can't just let code in and assume it’s fine. Ask SolarWinds, what could happen if you let the systems go through? Ask Experian what happens when you don't have a fully-managed view of your servers, code, vulnerabilities and patch managers.
I think SolarWinds is so instructive because it was the perfect supply chain attack, and a supply chain attack on the government. And it resulted from just bad source code management, and we're all vulnerable to that. Experian, that was just a pathetic lack of patching. The new stuff is vulnerable because we have the same old stupid humans building them.
I think that the fundamental challenge of continuous integration and continuous deployment (CI/CD) is that we can't slow it down because CD always says, "Get the new version." You don't get to stand in the way and say, "Have you done a security check?" They're going to apply it anyway. The consequence of CI/CD and DevOps is that nothing ever gets documented, and as the security professional you're left out.