cdCon 2025 Program is live! Register for OSSummit by April 7 to take advantage of the early-bird price.
Read More
Apply to be part of the CD Foundation 2025 Ambassador cohort by April 2.
Read More
The Governing Board election results are in! Here are the two new members serving for 2025-2027.
Read More
You know the DORA Metrics but you probably don't know them like this. How does CDEvents fit in and how do you "get better at getting better"?
Read More
Congratulations to Jenkins for winning the "Most Innovative DevOps Open Source Project Award" for the second year in a row.
Read More
Help us develop an inclusive set of DataOps and DevOps best practices to allow others leverage open source tools and frameworks for streamlined, secure, and scalable ML application deployment.
Read More
Contributed by Tracy Ragan, DeployHub
Overview
Continuous Integration and Continuous Delivery (CI/CD) pipelines have become indispensable in modern software development. These pipelines are critical touchpoints where code-level vulnerabilities, container security issues, and vulnerability remediation efforts converge. As the demand for stronger security measures grows across the software lifecycle—from code to cloud—CI/CD teams face increasing pressure to embed robust cybersecurity guardrails directly into their processes.
The CD Foundation’s CI/CD Cybersecurity SIG (Special Interest Group) aims to address this challenge by advancing security tooling within CI/CD pipelines. This group will define DevSecOps best practices and develop frameworks to enable secure pipeline implementation, ensuring seamless security integration from code to cloud.
Why This SIG Is Needed
The necessity of this SIG is underscored by rising industry challenges and trends:
1. Rising Vulnerabilities:
- In 2024 alone, over 500,000 new vulnerabilities were identified.
- Many vulnerabilities remain unaddressed for over a year, exposing organizations to significant risks.
- IBM research shows that delays in vulnerability remediation cost enterprises an average of $5.5 million annually.
2. Expanding Threat Landscape with AI:
- The rapid development of AI-driven solutions has introduced new security challenges.
- This trend has broadened the attack surface, particularly in securing pipelines associated with Large Language Models (LLMs) and other AI workloads.
While organizations like the Cloud Native Computing Foundation (CNCF) and the Open Source Security Foundation (OpenSSF) are developing innovative security tools, discussions around their integration within CI/CD pipelines remain limited. Addressing this gap is critical for the evolution of CI/CD practices.
SIG Goals and Objectives
The CI/CD Cybersecurity SIG seeks to:
1. Develop Integration Frameworks:
- Create specifications and standards for integrating open source and proprietary security tools into CI/CD pipelines.
2. Promote Security Best Practices:
- Establish security guardrails for CI/CD teams, focusing on key areas like:
- Code-level security
- Container security
- Vulnerability management
3. Identify and Evaluate Emerging Tools:
- Act as a resource for evaluating and recommending security tools to meet evolving CI/CD requirements.
4. Collaborate with Industry Leaders:
- Engage with CNCF, OpenSSF, and other relevant communities to promote cross-industry collaboration.
Scope of Work
The SIG will undertake the following key activities:
- Develop and disseminate frameworks, playbooks, and guidelines for securely integrating security tooling within CI/CD.
- Provide recommendations for securing pipelines used in AI and LLM deployments.
- Identify gaps in current CI/CD security tooling and collaborate with the community to address these gaps.
- Review and enhance existing security recommendations tailored specifically to CI/CD pipelines.
Key references for the SIG’s work include:
- The NIST Secure Software Development Framework
- IBM’s X-Force Threat Landscape Report
- The NIST Cybersecurity Framework
- Securing the AI Software Supply Chain
Audience and Participants
The CI/CD Cybersecurity SIG welcomes participation from all professionals and organizations engaged in CI/CD, AI, and security. Key groups include:
- Open source project communities from CDF, OpenSSF, and CNCF
- CDF and OpenSSF Ambassadors
- Members of the OpenSSF DevRel Committee
- Attendees of CDF CD Events
- CDF Member companies
- CDF End User Council participants
Who Should Join
The effort is open to all involved in CI/CD, AI, and Security. Within CDF it is essential we engage our broader community, including:
- Open source project communities from the CDF, OpenSSF, and CNCF
- CDF and OpenSSF Ambassadors
- OpenSSF DevRel Committee
- CDF CDEvents
- CDF Member companies
- CDF End User Council participants
How to Join
- Join the CICD-Cybersecurity GitHub repo and add your name to the read.me.
- Join the Continuous Delivery Foundation’s Slack and find the #sig-cicd-cybersecurity channel.
- Join the SIGs mailing list
SIG Monthly Meetings
Our next meeting is on February 4, 2025. Request a meeting invitation.
Conclusion
The CI/CD Cybersecurity SIG represents a pivotal initiative to enhance security in CI/CD pipelines and address modern cybersecurity demands. By focusing on integration frameworks, security best practices, and emerging tooling, the SIG will support organizations in embedding robust security measures into every stage of their CI/CD processes. This effort will ensure a resilient and secure software development lifecycle, empowering teams to build and deploy software with confidence.
Watch the recording of the first meeting here ⬇️
Alpha-Omega has provided a grant for three months of full-time work to improve the Jenkins implementation of Content Security Policy.
Read More
The open source project Shipwright is accepted as a CNCF Sandbox Project, moving out from the CD Foundation.
Read More
CD Foundation welcomes new General Member: Trace Machina. They build simulation infrastructure for next-generation technologies such as AI, robotics, and autonomous mobility.
Read More
