

Contributed by Tracy Ragan, DeployHub
Continuous Integration and Continuous Delivery (CI/CD) pipelines have become indispensable in modern software development. These pipelines are critical touchpoints where code-level vulnerabilities, container security issues, and vulnerability remediation efforts converge. As the demand for stronger security measures grows across the software lifecycle—from code to cloud—CI/CD teams face increasing pressure to embed robust cybersecurity guardrails directly into their processes.
The CD Foundation’s CI/CD Cybersecurity SIG (Special Interest Group) aims to address this challenge by advancing security tooling within CI/CD pipelines. This group will define DevSecOps best practices and develop frameworks to enable secure pipeline implementation, ensuring seamless security integration from code to cloud.
The necessity of this SIG is underscored by rising industry challenges and trends:
1. Rising Vulnerabilities:
2. Expanding Threat Landscape with AI:
While organizations like the Cloud Native Computing Foundation (CNCF) and the Open Source Security Foundation (OpenSSF) are developing innovative security tools, discussions around their integration within CI/CD pipelines remain limited. Addressing this gap is critical for the evolution of CI/CD practices.
The CI/CD Cybersecurity SIG seeks to:
1. Develop Integration Frameworks:
2. Promote Security Best Practices:
3. Identify and Evaluate Emerging Tools:
4. Collaborate with Industry Leaders:
The SIG will undertake the following key activities:
Key references for the SIG’s work include:
The CI/CD Cybersecurity SIG welcomes participation from all professionals and organizations engaged in CI/CD, AI, and security. Key groups include:
The effort is open to all involved in CI/CD, AI, and Security. Within CDF it is essential we engage our broader community, including:
How to Join
SIG Monthly Meetings
Our next meeting is on February 4, 2025. Request a meeting invitation.
The CI/CD Cybersecurity SIG represents a pivotal initiative to enhance security in CI/CD pipelines and address modern cybersecurity demands. By focusing on integration frameworks, security best practices, and emerging tooling, the SIG will support organizations in embedding robust security measures into every stage of their CI/CD processes. This effort will ensure a resilient and secure software development lifecycle, empowering teams to build and deploy software with confidence.
Watch the recording of the first meeting here ⬇️
CD Foundation Governing Board Member—Ger McMahon Head of ALM Tools and Platforms at Fidelity Investments—was on “The Confident Commit” Podcast with host Rob Zuber, CTO at CircleCI, to discuss Fidelity’s approach to software innovation.
Episode Summary:
In this episode, Rob and Ger explore the unique challenges of delivering software rapidly in a large enterprise. They dive into strategies for fostering innovation and effectively sharing ideas across diverse teams within the organization.
Ger highlights the delicate balance between building internal tools and creating customer-facing applications, emphasizing the critical role of keeping the customer at the center of decision-making. He also shares insights into why Fidelity prioritizes being a “technology company that delivers financial services,” and how that mindset shapes their approach to software development.
Whether you’re part of a large organization or navigating the complexities of enterprise software delivery, this episode offers valuable perspectives and actionable ideas.
Listen to the Podcast Episode on Spotify or watch it on YouTube.
đź’ˇ Want to learn more about how Fidelity Investments Secures their Software Supply Chain using CDEvents and Jenkins? Read this case study (PDF).