THE LINUX FOUNDATION PROJECTS
Category

Community

Jan 07
New CICD Cybersecurity SIG

Introducing CI/CD Cybersecurity Special Interest Group (SIG) for the Continuous Delivery Foundation

By Announcement, Blog, Community

Contributed by Tracy Ragan, DeployHub

New CICD Cybersecurity SIG

Overview

Continuous Integration and Continuous Delivery (CI/CD) pipelines have become indispensable in modern software development. These pipelines are critical touchpoints where code-level vulnerabilities, container security issues, and vulnerability remediation efforts converge. As the demand for stronger security measures grows across the software lifecycle—from code to cloud—CI/CD teams face increasing pressure to embed robust cybersecurity guardrails directly into their processes.

The CD Foundation’s CI/CD Cybersecurity SIG (Special Interest Group) aims to address this challenge by advancing security tooling within CI/CD pipelines. This group will define DevSecOps best practices and develop frameworks to enable secure pipeline implementation, ensuring seamless security integration from code to cloud.

Why This SIG Is Needed

The necessity of this SIG is underscored by rising industry challenges and trends:

1. Rising Vulnerabilities:

  • In 2024 alone, over 500,000 new vulnerabilities were identified.
  • Many vulnerabilities remain unaddressed for over a year, exposing organizations to significant risks.
  • IBM research shows that delays in vulnerability remediation cost enterprises an average of $5.5 million annually.

2. Expanding Threat Landscape with AI:

  • The rapid development of AI-driven solutions has introduced new security challenges.
  • This trend has broadened the attack surface, particularly in securing pipelines associated with Large Language Models (LLMs) and other AI workloads.

While organizations like the Cloud Native Computing Foundation (CNCF) and the Open Source Security Foundation (OpenSSF) are developing innovative security tools, discussions around their integration within CI/CD pipelines remain limited. Addressing this gap is critical for the evolution of CI/CD practices.

SIG Goals and Objectives

The CI/CD Cybersecurity SIG seeks to:

1. Develop Integration Frameworks:

  • Create specifications and standards for integrating open source and proprietary security tools into CI/CD pipelines.

2. Promote Security Best Practices:

  • Establish security guardrails for CI/CD teams, focusing on key areas like:
    • Code-level security
    • Container security
    • Vulnerability management

3. Identify and Evaluate Emerging Tools:

  • Act as a resource for evaluating and recommending security tools to meet evolving CI/CD requirements.

4. Collaborate with Industry Leaders:

  • Engage with CNCF, OpenSSF, and other relevant communities to promote cross-industry collaboration.

Scope of Work

The SIG will undertake the following key activities:

  • Develop and disseminate frameworks, playbooks, and guidelines for securely integrating security tooling within CI/CD.
  • Provide recommendations for securing pipelines used in AI and LLM deployments.
  • Identify gaps in current CI/CD security tooling and collaborate with the community to address these gaps.
  • Review and enhance existing security recommendations tailored specifically to CI/CD pipelines.

Key references for the SIG’s work include:

Audience and Participants

The CI/CD Cybersecurity SIG welcomes participation from all professionals and organizations engaged in CI/CD, AI, and security. Key groups include:

  • Open source project communities from CDF, OpenSSF, and CNCF
  • CDF and OpenSSF Ambassadors
  • Members of the OpenSSF DevRel Committee
  • Attendees of CDF CD Events
  • CDF Member companies
  • CDF End User Council participants

Who Should Join

The effort is open to all involved in CI/CD, AI, and Security. Within CDF it is essential we engage our broader community, including:

How to Join

SIG Monthly Meetings

Our next meeting is on February 4, 2025. Request a meeting invitation.

Conclusion

The CI/CD Cybersecurity SIG represents a pivotal initiative to enhance security in CI/CD pipelines and address modern cybersecurity demands. By focusing on integration frameworks, security best practices, and emerging tooling, the SIG will support organizations in embedding robust security measures into every stage of their CI/CD processes. This effort will ensure a resilient and secure software development lifecycle, empowering teams to build and deploy software with confidence.

Watch the recording of the first meeting here ⬇️

Dec 16
Rob Zuber and Ger McMahon

How Fidelity Investments drives software innovation at scale

By Blog, Community, Member

CD Foundation Governing Board Member—Ger McMahon Head of ALM Tools and Platforms at Fidelity Investments—was on “The Confident Commit” Podcast with host Rob Zuber, CTO at CircleCI, to discuss Fidelity’s approach to software innovation.

Episode Summary:

In this episode, Rob and Ger explore the unique challenges of delivering software rapidly in a large enterprise. They dive into strategies for fostering innovation and effectively sharing ideas across diverse teams within the organization.

Ger highlights the delicate balance between building internal tools and creating customer-facing applications, emphasizing the critical role of keeping the customer at the center of decision-making. He also shares insights into why Fidelity prioritizes being a “technology company that delivers financial services,” and how that mindset shapes their approach to software development.

Whether you’re part of a large organization or navigating the complexities of enterprise software delivery, this episode offers valuable perspectives and actionable ideas.

Listen to the Podcast Episode on Spotify or watch it on YouTube.

💡 Want to learn more about how Fidelity Investments Secures their Software Supply Chain using CDEvents and Jenkins? Read this case study (PDF).

Sep 12
CD Mini Summit 2024

Experience Continuous Delivery Innovation at CD Mini Summit 

By Blog, Community

Contributed by Garima Bajpai, CDF Ambassador Chair

Continuous Delivery Mini Summit—happening on September 19 in Vienna, Austria in co-location with Open Source Summit Europe—is a focused half-day event for CI/CD practitioners, community leaders, startup founders, and investors interested to delve deeper into Continuous Delivery innovation, progressive features, and roadmap presented by open source communities specifically for Continuous Delivery stack. 

CD Mini Summit 2024

The impact of Continuous Delivery will be significant enabling accelerated delivery of software in upcoming years. It is important that we focus on standardized approaches toward technology integration into the CI/CD ecosystem with the help of open source communities. The CD Foundation attempts to bring together CI/CD practitioners, through various initiatives like publishing reports, organizing summits, etc. Taking leads from the latest  State of CI/CD Report, published by CD Foundation, highlighted several areas of improvement for CI/CD stack including software deployment performance. It stated that software deployment is worse when using multiple CI/CD tools of the same form, likely because of challenges related to interoperability.  

This year, our key talks from the CD Mini Summit, circle around developing a series of features improving interoperability, observability, progressive rollouts. Bringing attention to interoperability related innovation, we have talks highlighting how open source projects are solving that challenge for Continuous Delivery.  

CDEvents leverages best practices in Continuous Delivery, to define a common language for CI/CD ecosystem events, the standardized events capability simplifies integrating different system workflows, and improves observability and auditability. The CDEvents project recently released the fourth version of its interoperability and observability specification. The first talk at CD Mini Summit “What’s new in CDEvents v0.4” is about what is new in the specification, as well as the most recent updates about CDEvents adoption and the work of the CDEvents community. The speaker will provide insight into the project roadmap, current collaborations with other communities, and how to join CDEvents.  

Another talk reflects improving visibility and interoperability between various tools developed by the open source communities, “Enhancing Interoperability in CI/CD Workflows Using CDEvents”, will highlight the experience working with developing CDEvents support for different tools using the CDEvent’s Java SDK, Go SDK, and Webhook Adapter which enables the adoption of CDEvents into different tools such as Spinnaker, Flux, Jenkins and Gerrit and demonstrating CI/CD workflow using these tools. 

Moving forward, one of the key areas of focus at the summit would be improving the performance of the software delivery by adopting emerging tools and technology for Continuous Delivery. With the open source community continuously fostering innovation, we would discuss, “Progressive Infrastructure Delivery using Kargo and Argo CD”, explaining the positive impact it has on the developer experience and improving progressive rollout of infrastructure changes to all stages. 

Again, referring to the latest State of CI/CD Report, the proportion of low performers for each of the deployment performance metrics is increasing. To address this part, we have tried to highlight the importance of smaller deployments through one of the talks at the summit “Working in small batches: overcoming cultural barriers”. This talk re-emphasizes why working in small batches is considered one of the key principles of implementing Continuous Delivery. It covers the benefits and discusses examples of using smaller batch sizes as well as strategies to overcome such cultural barriers, and how it helps improve the performance metrics. 

Lastly, improving the quality of the software deployment is on everybody’s “to-do” list, however, there is not enough time and focus on testing. In one of the talks at the summit “Test Orchestration using Tekton”, how Tekton is helping in test orchestration. 

There are several other takeaways from the CD Mini Summit as this blog only covers part of the summit talks. CD Foundation has been enhancing the productivity of the software delivery through developing open source initiatives for emerging practices, tools & continuously fostering collaboration with the open source community. We look forward to contributions of the open source communities and help us drive synergies, standard approaches, and support organizations with Open source strategies for Continuous Delivery. 

View the CD Mini Summit Schedule and plan to join us on September 19.