Back to all blog posts

(Actually) Understanding CI/CD: Why the Practice is Crucial to Staying Secure

Written by Raj Datta, CEO & Co-Founder
April 22, 2021

Security incidents are an all too common occurrence. 70% of organizations hosting workflows in the cloud experienced a security incident last year. And, despite feature delivery speed rising by 14% last year, fewer than 50% of organizations leverage automated security. In other words, there’s a disconnect between dev speed and security automation, and it’s creating tangible financial and development woes for organizations embracing cutting-edge SDLC strategies like Jenkins/Gitlab CI.

So, what’s going on? Why are we failing to secure our stack while simultaneously getting better at delivery and velocity? The answer lies in today’s most popular SDLC delivery model: continuous integration and continuous delivery. While CI/CD can completely transform the way you build out apps, it has the very real potential to leak significant security vulnerabilities into your core. Here’s what you can do about it.


A Deep-Dive on Continuous Integration & Continuous Delivery

Continuous Integration and Continuous Delivery (CI/CD) is a development strategy that involves building, testing, and releasing code in small iterations to avoid scope creep, configuration mismatches, and API frictions. So, instead of dumping code into repositories after the test/build stage is done, CI/CD teams constantly perform git pushes to scout out integration issues when and where they happen. Why is that important? Let’s say you have a frontend developer working on a bold UI for your new software launch. At the same time, your backend team is working on a killer API. After a few months, they both launch their projects and discover a big, fat Git Merge explosion that tanks interoperability and forces teams to go back and readjust one or both solutions. In the end, you just wasted a few months dealing with merge issues due to integration conflicts.

Now. Let’s imagine you have 50 devs with hundreds of GitFlow branches. Think about the pure scale of those merge headaches. It’s a nightmare. CI/CD seeks to solve these issues. Devs are constantly checking for integration and merge issues. Not only does this prevent large-scale problems, but it forces teams to focus on fixing critical issues before adding new features.


CI/CD & Security: A Problem Driven By Innovation

Let’s start with the good news. 83% of devs that use CI/CD release code faster and 60% deploy multiple times a day. CI/CD increases velocity and productivity. Now for the bad news. CI/CD introduces some security woes that are difficult to solve manually. Code dumps are near-constant, so checking these iterations for security vulnerabilities is particularly challenging. The ad-hoc, post-dev security cycle doesn’t cut it. We often hear about DevOps (i.e., a desilo of Dev and Ops into a single integrated team), but CI/CD requires DevSecOps and plenty of security automation. You need to, quite literally, shift security left (i.e., to the beginning) of your SDLC.

While most teams have some form of monitoring and security automation in place for software development, many organizations lack any security automation for infrastructure. In today’s containerized, cloud-based ecosystem, checking for infrastructure misconfigurations and policy violations is crucial. Even more important, you need to test for these issues in every CI/CD spin. Recent research suggests that a large chunk (+25%) of devs are still dealing with drift and cloud misconfigurations on a regular basis. As unit testing and shift-left mentality dominate software-side development, infrastructure is often left out of the equation. Even worse, CI/CD almost always calls for IaC — which essentially drops an energy drink into your sysadmin workflows.

You have all of these containers and cloud services being spun up and down each day, for each iteration. Security vulnerabilities aren’t just a “maybe,” they’re an inevitability. A recent McAfee report showcased this issue. Misconfigurations are responsible for 2,269 security incidents per month. That’s significant!


Enabling Security in the CI/CD Pipeline

CI/CD introduces an automate-or-die mentality into infrastructure security monitoring. It’s not feasible to consistently check for config issues, write RCAs, and apply policies at the scale required with manual input. Remediation-as-code is one common security monitoring method for infrastructure in the CI/CD pipeline. 

You set up some workflows to trigger restarts and readjustments when security incidents are detected. While it’s possible to build these workflows from scratch, many organizations lean into IaC security platforms to help them identify and remediate security issues at scale. Again, this is particularly important if you have a ton of dev branches and IaC spins each day. You need a unified platform that can integrate across your SDLC and bring DevSecOps to your infrastructure and IaC ecosystem.

As an example, oak9 monitors each app and project for infrastructure issues around the clock. This includes compliance policy issues, coding issues, networking issues, app lifecycle management frictions, encryption and attribution errors, and integration problems. When a security event happens (e.g., unrestricted outbound access on an Azure blob), oak9 alerts your team and gives you fixes to those issues immediately. The overall goal of IaC security monitoring is to give your infrastructure the same cadence as monitoring for software. You can fix issues immediately across all CI/CD deployments — keeping your rapid-fire, high-velocity SDLC on track.


Are You Ready for Security-Driven IaC?

The truth is: security automation is essential in CI/CD workflows. It’s not optional, and it’s not just a nice-to-have value-add. Chances are, you adopted CI/CD to deliver better, more customer-centric experiences to the people that use your services. Security issues can instantly defeat the purpose. A single security incident can cost your organization millions of dollars, reputation damage, and a degradation of your customer-centric premise.

We can help.

At oak9, we help companies monitor for security design gaps across their entire IaC. Whether you’re running apps on AWS or Azure (or both!), our platform checks every infrastructure spin for critical security incidents. Better yet, we provide pre-coded building blocks (our security blueprints) that work on any cloud provider. Are you ready to monitor your stack for incidents? Do you want an easy-to-use yet deeply powerful IaC monitoring solution? Contact us to learn more.

(Photo by: