CI/CD Security vs. Security-as-Code: which lowers risk more?

Regardless of their main focus, every company is now also in the software business.

CIOs and CISOs everywhere now have a responsibility to help develop applications that are of high quality and have a robust security foundation. 

CIOs and CISOs everywhere now have a responsibility to help develop applications that are of high quality and have a robust security foundation.  To stay ahead of the competition, companies must rapidly deliver updates to solve security issues, fix bugs, and introduce new features and services.

This never-ending demand for innovation is the driving force behind how businesses construct, maintain, and protect their applications.

Commit-to-deploy time is an essential statistic that businesses must monitor as they go through this never-ending innovation cycle. This Application Security metric counts the time it takes for a commit to deploy into production. The shorter the deployment time, the lower the cost.

While this pace benefits customers by allowing them to enjoy app upgrades more quickly, it poses a substantial barrier for security teams in ensuring that all deployments are evaluated for vulnerabilities.

Despite advancements in security platforms and efforts to shift left throughout the years, security remains the most time-consuming part of today’s software development cycle. The issue is that whenever the application code is touched, it opens the door to new vulnerabilities and the recurrence of previous flaws.

Considering the average organization uses over 200 programs, the security scope, as mentioned above, quickly outstrips what practically any company can handle. 

In fact, 79% of organizations intentionally release vulnerable code to production due to this challenge. This procedure could be more effective, and we believe there is a better method.


Security-as-Code is an Application Security method of automating security behavior in the runtime by leveraging machine-readable definition files that use high-level descriptive coding language.

Illustration depicting a vulnerability injected in the CI/CD pipeline following passing security tests

Vulnerability injections in the CI/CD pipeline recently made headlines for two notable open-source projects from Apache and Google.

Zero trust… in code?

Consider alternative security approaches, such as Zero Trust, and you’ll notice that the fundamental premise is always to presume danger.

Although someone may have an upgraded role that allows for extremely sensitive permissions, the Zero Trust approach does not rely on a point-in-time authorization. Every access request necessitates the ongoing recertification of results.

This precaution is relevant because there is a connection between how enterprises should handle application security.

If we genuinely want to address the security concerns within the CI/CD pipeline, security must run continuously and consistently for every request in every application.

Otherwise, you rely on a single point in time along the CI/CD process to ensure your security. Consider it similar to zero trust, but for code.

Immutable and continuous Security-as-Code 

Applications secured with control through policy, via Security-as-Code, are immutable. Immutability, in this context, means that it’s impossible to introduce vulnerabilities in or after the pipeline.

In fact, with this approach, you are removing the burden of back-and-forth tickets to fix security flaws in the development lifecycle and taking weight off the shoulders of both your developers and security teams. 

No code written now or in the future can override the rules set in your policy using Security-as-Code.

If development overlooks something in the pipeline, your policy detects and corrects it while your application runs. Security-as-Code allows developers to concentrate on their apps while security teams focus on security posture.

When the next major vulnerability, such as log4j, occurs, your security team may immediately add a new policy without involving development, resulting in immediate time-to-remediation.

This Security-as-Code technique has enabled one business to safeguard over 2,500 log4j-affected applications in just a few hours at scale.

As a result, we’re wondering if it’s time to move our focus from applying security to apps in the CI/CD pipeline to securing continuously and immutably with Security-as-Code.

Read “The Five Business Reasons Why Every CISO Should Consider Security-as-Code” to learn more about the concept of “Security-as-Code” and what it means for Application Security.

Related resources

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.