{"id":27556,"date":"2025-09-16T09:49:14","date_gmt":"2025-09-16T08:49:14","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=27556"},"modified":"2026-04-29T13:44:50","modified_gmt":"2026-04-29T12:44:50","slug":"ci-cd-the-new-cornerstone-of-the-information-system","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/","title":{"rendered":"CI\/CD: the new cornerstone of the Information system?\u00a0"},"content":{"rendered":"\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Since the massive rise of DevOps, <\/span><b><span data-contrast=\"none\">continuous integration<\/span><\/b> <span data-contrast=\"auto\">and <\/span><b><span data-contrast=\"none\">deployment<\/span><\/b> <span data-contrast=\"auto\">(CI\/CD) pipelines have become essential to automate application development cycles. <\/span><b><span data-contrast=\"none\">Continuous Integration<\/span><\/b> <span data-contrast=\"auto\">(CI) involves merging and testing code automatically, while <\/span><b><span data-contrast=\"none\">Continuous Deployment<\/span><\/b> <span data-contrast=\"auto\">(CD) automates the entire process of releasing that code into production, ensuring it runs properly in its target environment.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Attacks targeting these supply chains have opened a new perimeter of risk in information systems. Breaches can lead to intellectual property theft, tampering with source code, service disruption, and privilege escalation into more critical parts of the IT landscape.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">What are the <\/span><b><span data-contrast=\"none\">new<\/span><\/b> <b><span data-contrast=\"none\">attack<\/span><\/b> <b><span data-contrast=\"none\">vectors<\/span><\/b> <span data-contrast=\"auto\">in CI\/CD pipelines, and how can they be <\/span><b><span data-contrast=\"none\">contained<\/span><\/b><span data-contrast=\"auto\">? This article reviews real-world compromise scenarios and provides recommendations to defend against them.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<h1 style=\"text-align: justify;\">\u00a0<\/h1>\n<h1 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">What risks for CI\/CD pipelines?<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h1>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">The 2020 <\/span><b><span data-contrast=\"none\">SolarWinds<\/span><\/b> <span data-contrast=\"auto\">breach is very often cited as CI\/CD compromise, as it revealed the true scale of that such an attack can cause. After supposedly stealing FTP credentials left in plaintext in an old GitHub repository, attackers poisoned SolarWinds\u2019 supply chain by inserting a C2 beacon into Orion, its network management software, before the signing process.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">This backdoor gave adversaries <\/span><b><span data-contrast=\"none\">months<\/span><\/b> <span data-contrast=\"auto\">of <\/span><b><span data-contrast=\"none\">undetected<\/span><\/b> <b><span data-contrast=\"none\">access<\/span><\/b> <span data-contrast=\"auto\">to the internal networks of U.S. government agencies and private companies.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Incidents like this, along with more recent ones such as Log4Shell, Codecov, and XZ Utils, highlight not only the need for stronger CI\/CD security but also for a more adaptive incident response. OWASP published a dedicated overview for CI\/CD Security in their <\/span><a href=\"https:\/\/owasp.org\/www-project-top-10-ci-cd-security-risks\/\"><span data-contrast=\"none\">Top 10<\/span><\/a><span data-contrast=\"auto\">, mapping out the most common areas of risk.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559731&quot;:708}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-27501\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive1.png\" alt=\"Fig 1 \u2013 Top 10 OWASP CICD-Sec\u00a0\" width=\"1280\" height=\"720\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive1.png 1280w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive1-340x191.png 340w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive1-69x39.png 69w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive1-768x432.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive1-800x450.png 800w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Figure 1 \u2013 Top 10 OWASP CICD-Sec<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:360}\">\u00a0<\/span><\/p>\n<h1 style=\"text-align: justify;\">\u00a0<\/h1>\n<h1 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Field insights @ Wavestone<\/span><\/b><\/h1>\n<h1 style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h1>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"none\">Audits<\/span><\/b> <span data-contrast=\"auto\">and <\/span><b><span data-contrast=\"none\">penetration tests<\/span><\/b><span data-contrast=\"auto\"> help identify vulnerabilities proactively before attackers can exploit them. By simulating real-world attacks, these assessments provide concrete visibility into how systems can be compromised.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Our recent client engagements have led to clear findings:<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li><span data-contrast=\"auto\">In nearly all <\/span><b><span data-contrast=\"none\">Cloud<\/span><\/b> <span data-contrast=\"auto\">and <\/span><b><span data-contrast=\"none\">CI\/CD<\/span><\/b> <b><span data-contrast=\"none\">audits<\/span><\/b><span data-contrast=\"auto\">, vulnerabilities are always discovered in pipelines, often enabling full control of the pipeline, its artifacts, or even underlying infrastructure.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">In <\/span><b><span data-contrast=\"none\">CERT<\/span><\/b> <span data-contrast=\"auto\">and <\/span><b><span data-contrast=\"none\">Red<\/span><\/b> <b><span data-contrast=\"none\">Team<\/span><\/b> <span data-contrast=\"auto\">interventions, CI\/CD pipelines frequently act as accelerators in attack paths.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Here are two examples observed in the field.<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Example 1: <\/span><\/b><span data-contrast=\"auto\">Full AWS compromise through CI\/CD abuse<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">In this first grey-box example, we compromised an entire AWS Cloud environment (600+ accounts) starting from standard DevOps accounts.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_27503\" aria-describedby=\"caption-attachment-27503\" style=\"width: 1280px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-27503\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive2.png\" alt=\"Fig 2 - Chemin de compromission d\u2019une attaque sur un cluster d\u2019Amazon EKS\u00a0\" width=\"1280\" height=\"720\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive2.png 1280w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive2-340x191.png 340w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive2-69x39.png 69w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive2-768x432.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive2-800x450.png 800w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><figcaption id=\"caption-attachment-27503\" class=\"wp-caption-text\">Fig 2 &#8211; Chemin de compromission d\u2019une attaque sur un cluster d\u2019Amazon EKS<\/figcaption><\/figure>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Figure 2: Full AWS compromise through CI\/CD abuse<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Attack path:<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">An attacker pushed <\/span><b><span data-contrast=\"none\">malicious<\/span><\/b> <b><span data-contrast=\"none\">code<\/span><\/b> <span data-contrast=\"auto\">into a GitLab repository, triggering a GitLab CI pipeline that deployed the code into a generic Kubernetes pod.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The code opened a <\/span><b><span data-contrast=\"none\">reverse<\/span><\/b> <b><span data-contrast=\"none\">shell<\/span><\/b><span data-contrast=\"auto\">, giving the attacker remote access to the Kubernetes environment.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">From there, the attacker exploited <\/span><b><span data-contrast=\"none\">excessive<\/span><\/b> <b><span data-contrast=\"none\">privileges<\/span><\/b> <span data-contrast=\"auto\">granted to the node\u2019s service account (ability to patch tokens in the cluster) and replaced the admin node\u2019s token.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">On redeployment, the malicious pod lands on the former admin node, still holding admin rights.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The attacker <\/span><b><span data-contrast=\"none\">escalated<\/span><\/b> <b><span data-contrast=\"none\">privileges<\/span><\/b> <span data-contrast=\"auto\">and pivoted into AWS, compromising the entire Elastic Kubernetes Service (EKS) cluster and its resources.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:720}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Example 2: <\/span><\/b><span data-contrast=\"auto\">Chained attacks across pipeline components<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-27505\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive3-e1758008947607.png\" alt=\"Fig 3 - Condens\u00e9 de plusieurs typologies d\u2019attaques observ\u00e9es dans les CI\/CD de nos clients\u00a0\" width=\"1280\" height=\"720\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Figure 3 -Summary of real chained<\/span><\/i><i><span data-contrast=\"auto\"> attacks across pipeline components<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">In another case (presented at <\/span><a href=\"https:\/\/www.riskinsight-wavestone.com\/2022\/10\/lete-cybersecurite-de-wavestone\/\"><span data-contrast=\"none\">DefCon &amp; BSides 2022<\/span><\/a><span data-contrast=\"auto\">), we demonstrated how multiple components of a CI\/CD pipeline can be chained together in compromise scenarios. [<\/span><a href=\"https:\/\/www.youtube.com\/watch?v=a3SeASgtINY\"><span data-contrast=\"none\">Video<\/span><\/a><span data-contrast=\"auto\">].<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<h1 style=\"text-align: justify;\">\u00a0<\/h1>\n<h1 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Recommendations to secure a CI\/CD<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h1>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">CI\/CD pipelines have now become systemic components of information systems and can be leveraged to compromise an organization\u2019s most critical resources.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Our recommendations for securing the CI\/CD chain can be grouped into three main themes: <\/span><b><span data-contrast=\"none\">identity<\/span><\/b> <span data-contrast=\"auto\">and <\/span><b><span data-contrast=\"none\">access management<\/span><\/b> <span data-contrast=\"auto\">(IAM), better <\/span><b><span data-contrast=\"none\">pipeline design<\/span><\/b><span data-contrast=\"auto\">, and <\/span><b><span data-contrast=\"none\">continuous monitoring<\/span><\/b><span data-contrast=\"auto\">. These align with the <\/span><a href=\"https:\/\/cyber.gouv.fr\/publications\/devsecops\"><span data-contrast=\"none\">ANSSI DevSecOps guidance<\/span><\/a><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559731&quot;:708}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-27507\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive4-e1758009062200.png\" alt=\"Fig 4 - Trois grands axes de recommandations pour s\u00e9curiser une CI\/CD\u00a0\" width=\"1280\" height=\"720\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Figure 4 &#8211; Three main recommendations to secure a CI\/CD<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<h2 style=\"text-align: justify;\">\u00a0<\/h2>\n<h1 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Identity and Access Management (IAM)<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/h1>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-27509\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive5-e1758009180837.png\" alt=\"Fig 5 \u2013 Recommandations IAM\" width=\"1280\" height=\"720\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Figure 5 \u2013 IAM recommendations<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<h2 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Identity management<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h2>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Beyond the traditional rules for managing identity lifecycles, it is strongly recommended to systematically use <\/span><b><span data-contrast=\"none\">Single Sign-On<\/span><\/b> <span data-contrast=\"auto\">(SSO) combined with <\/span><b><span data-contrast=\"none\">Multi-Factor Authentication<\/span><\/b> <span data-contrast=\"auto\">(MFA). This significantly reduces the risk of intrusion into the CI\/CD chain, by ensuring that any user accessing code repositories, signing commits, or performing other privileged actions is properly authenticated.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<h2>\u00a0<\/h2>\n<h2 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Access control<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h2>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">User and service account permissions must be strictly limited to what is necessary for their role within the CI\/CD chain, always applying the principle of least privilege. This should be enforced through <\/span><b><span data-contrast=\"none\">Role-Based Access Control<\/span><\/b> <span data-contrast=\"auto\">(RBAC). For example, a developer working on a specific project generally should not have write access to the overall pipeline configuration.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">It is also advisable to segment projects using <\/span><b><span data-contrast=\"none\">separate<\/span><\/b> <b><span data-contrast=\"none\">code<\/span><\/b> <b><span data-contrast=\"none\">repositories<\/span><\/b><span data-contrast=\"auto\">, and to ensure that the orchestrator account of one project does not hold excessive rights over the deployments of projects it is not associated with.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h2>\u00a0<\/h2>\n<h2 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Secrets management<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h2>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">In CI\/CD, \u201c<\/span><b><span data-contrast=\"none\">secrets<\/span><\/b><span data-contrast=\"auto\">\u201d refer to sensitive data such as passwords, API keys, certificates, or access tokens. Since these secrets often enable privileged actions within pipelines, they must be retrieved in an automated and controlled manner.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Vendors such as <\/span><a href=\"https:\/\/www.hashicorp.com\/products\/vault\"><span data-contrast=\"none\">HashiCorp<\/span><\/a><span data-contrast=\"auto\"> provide dedicated <\/span><b><span data-contrast=\"none\">secret management solutions<\/span><\/b> <span data-contrast=\"auto\">that make it possible to store sensitive data centrally, while ensuring encryption in transit and at rest.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h1 style=\"text-align: justify;\">\u00a0<\/h1>\n<h1 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">CI\/CD pipeline design<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/h1>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-27511\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive6-e1758009516245.png\" alt=\"Fig 6 \u2013 Recommandations sur la conception d\u2019une CI\/CD\u00a0\" width=\"1280\" height=\"720\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Figure 6 \u2013 Design recommendations<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h2 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Environment segmentation<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h2>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"none\">Segregation<\/span><\/b> <span data-contrast=\"auto\">between users, applications, and infrastructure is essential to minimize the impact of a compromise. In line with ANSSI\u2019s guidance, actions performed by the production CI\/CD chain should be treated as administrative actions, and the number of users authorized to access it should be kept to an absolute minimum. Furthermore, communication between environments must be protected with <\/span><b><span data-contrast=\"none\">end-to-end encryption<\/span><\/b><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h2 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Integration of third-party tools<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h2>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">As the SolarWinds attack demonstrated, many <\/span><b><span data-contrast=\"none\">supply-chain<\/span><\/b> <span data-contrast=\"auto\">compromises originate from a third-party component integrated into a CI\/CD pipeline. These tools are indispensable for supply-chain operation: they may be as small as a development add-on, or as central as a version control system or orchestrator.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Because these tools are often granted high privileges\u2014access to sensitive resources or the ability to perform critical actions within the pipeline\u2014a vulnerability that is left unpatched can be catastrophic. In many cases, the ability to remediate will depend on the vendor, limiting the organization\u2019s own control. A <\/span><b><span data-contrast=\"none\">strict<\/span><\/b> <b><span data-contrast=\"none\">governance<\/span><\/b> <span data-contrast=\"auto\">framework and a <\/span><b><span data-contrast=\"none\">Third-Party Cyber Risk Management (TCPCRM)<\/span><\/b> <span data-contrast=\"auto\">process for third-party tools is therefore necessary.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h2 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Artifact management<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h2>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">To avoid the risk of distributing <\/span><b><span data-contrast=\"none\">malicious artifacts<\/span><\/b><span data-contrast=\"auto\">, it is recommended to sign artifacts as early as possible in the pipeline, and to verify those signatures at deployment time to guarantee their <\/span><b><span data-contrast=\"none\">integrity<\/span><\/b><span data-contrast=\"auto\">. Similarly, regular <\/span><b><span data-contrast=\"none\">Software Composition Analysis<\/span><\/b> <span data-contrast=\"auto\">(SCA) should be performed to prevent the introduction of malicious libraries.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h2 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Monitoring and supervision<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/h2>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-27513\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive7-e1758009660158.png\" alt=\"Fig 7 \u2013 Recommandations de surveillance\u00a0\" width=\"1280\" height=\"720\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Figure 7 \u2013 Monitoring recommendations<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<h2 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Logging and detection<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h2>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Maintaining a high level of visibility and control over all pipeline components is critical for easier maintenance and faster response to attacks.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">A tailored <\/span><b><span data-contrast=\"none\">logging<\/span><\/b> <span data-contrast=\"auto\">strategy should be implemented: logs must contain only the data needed to ensure traceability and accountability in the event of an incident, should be stored securely, and must not contain secrets in plaintext. Logs should be shared effectively with the organization\u2019s Security Information and Event Management (SIEM) system.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Regular <\/span><b><span data-contrast=\"none\">audits<\/span><\/b> <span data-contrast=\"auto\">and <\/span><b><span data-contrast=\"none\">penetration tests<\/span><\/b> <span data-contrast=\"auto\">are also required to reassess the security posture and identify potential new compromise paths within the CI\/CD pipeline.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h2 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Incident response<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h2>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Finally, CI\/CD pipelines must be included in incident response plans just like any other perimeter of the information system. This means ensuring that source code and configurations are backed up, and that business continuity plans exist in case of a tool failure.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h1 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">In conclusion<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h1>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">CI\/CD pipelines have become a genuine <\/span><b><span data-contrast=\"none\">cornerstone<\/span><\/b> <span data-contrast=\"auto\">of modern information systems. They are now systemic components, indispensable for developing and deploying applications. Yet their critical role within IT also makes it necessary to implement appropriate security measures so that they do not themselves become attack vectors.<\/span><span data-ccp-props=\"{&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-27515\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Diapositive8-e1758009992895.png\" alt=\"Fig 8 \u2013 Quelques composants syst\u00e9miques et critiques en CI\/CD\u00a0\" width=\"1280\" height=\"720\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Figure 8 \u2013 Some systemic CI\/CD components<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Beyond the recommendations detailed in this article, further preventive measures can be implemented in the form of <\/span><b><span data-contrast=\"none\">hardening<\/span><\/b> <b><span data-contrast=\"none\">guides<\/span><\/b> <span data-contrast=\"auto\">tailored to <\/span><b><span data-contrast=\"none\">specific tools<\/span><\/b> <span data-contrast=\"auto\">within the pipeline. In addition, adopting a robust <\/span><b><span data-contrast=\"none\">training<\/span><\/b> <span data-contrast=\"auto\">strategy for users, together with structured <\/span><b><span data-contrast=\"none\">change<\/span><\/b> <b><span data-contrast=\"none\">management<\/span><\/b><span data-contrast=\"auto\">, is essential to ensure the success of these transformations.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: center;\"><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559731&quot;:708}\"><em>Thanks to Jeanne GRENIER for her valuable contribution to the writing of this article.<\/em><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since the massive rise of DevOps, continuous integration and deployment (CI\/CD) pipelines have become essential to automate application development cycles. Continuous Integration (CI) involves merging and testing code automatically, while Continuous Deployment (CD) automates the entire process of releasing that&#8230;<\/p>\n","protected":false},"author":1539,"featured_media":27549,"comment_status":"open","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3266],"tags":[2825,3208,3331,4012,4778,3156,3382,4777],"coauthors":[4622,4623],"class_list":["post-27556","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-next-gen-it-security-en","tag-access-management","tag-cloud-en","tag-iam-en","tag-incident-response","tag-monitoring-and-supervision","tag-risk-management-en","tag-risk-management-strategy-governance-en","tag-segmentation"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CI\/CD: the new cornerstone of the Information system?\u00a0 - RiskInsight<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CI\/CD: the new cornerstone of the Information system?\u00a0 - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"Since the massive rise of DevOps, continuous integration and deployment (CI\/CD) pipelines have become essential to automate application development cycles. Continuous Integration (CI) involves merging and testing code automatically, while Continuous Deployment (CD) automates the entire process of releasing that...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-16T08:49:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-29T12:44:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Image_couverture.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2000\" \/>\n\t<meta property=\"og:image:height\" content=\"2000\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Alexandre GUY, Thomas JOUBERT\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alexandre GUY, Thomas JOUBERT\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/\"},\"author\":{\"name\":\"Alexandre GUY\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/b6d3a771a2e0ef3ff789b33e391d10a0\"},\"headline\":\"CI\/CD: the new cornerstone of the Information system?\u00a0\",\"datePublished\":\"2025-09-16T08:49:14+00:00\",\"dateModified\":\"2026-04-29T12:44:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/\"},\"wordCount\":1360,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Image_couverture.jpg\",\"keywords\":[\"access management\",\"cloud\",\"IAM\",\"Incident response\",\"Monitoring and supervision\",\"risk management\",\"risk management strategy &amp; governance\",\"Segmentation\"],\"articleSection\":[\"Cloud &amp; Next-Gen IT Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/\",\"name\":\"CI\/CD: the new cornerstone of the Information system?\u00a0 - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Image_couverture.jpg\",\"datePublished\":\"2025-09-16T08:49:14+00:00\",\"dateModified\":\"2026-04-29T12:44:50+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Image_couverture.jpg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Image_couverture.jpg\",\"width\":2000,\"height\":2000,\"caption\":\"CI\/CD : la nouvelle pierre angulaire du SI ?\u00a0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CI\/CD: the new cornerstone of the Information system?\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/b6d3a771a2e0ef3ff789b33e391d10a0\",\"name\":\"Alexandre GUY\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/alexandre-guy\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CI\/CD: the new cornerstone of the Information system?\u00a0 - RiskInsight","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/","og_locale":"en_US","og_type":"article","og_title":"CI\/CD: the new cornerstone of the Information system?\u00a0 - RiskInsight","og_description":"Since the massive rise of DevOps, continuous integration and deployment (CI\/CD) pipelines have become essential to automate application development cycles. Continuous Integration (CI) involves merging and testing code automatically, while Continuous Deployment (CD) automates the entire process of releasing that...","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/","og_site_name":"RiskInsight","article_published_time":"2025-09-16T08:49:14+00:00","article_modified_time":"2026-04-29T12:44:50+00:00","og_image":[{"width":2000,"height":2000,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Image_couverture.jpg","type":"image\/jpeg"}],"author":"Alexandre GUY, Thomas JOUBERT","twitter_misc":{"Written by":"Alexandre GUY, Thomas JOUBERT","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/"},"author":{"name":"Alexandre GUY","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/b6d3a771a2e0ef3ff789b33e391d10a0"},"headline":"CI\/CD: the new cornerstone of the Information system?\u00a0","datePublished":"2025-09-16T08:49:14+00:00","dateModified":"2026-04-29T12:44:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/"},"wordCount":1360,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Image_couverture.jpg","keywords":["access management","cloud","IAM","Incident response","Monitoring and supervision","risk management","risk management strategy &amp; governance","Segmentation"],"articleSection":["Cloud &amp; Next-Gen IT Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/","name":"CI\/CD: the new cornerstone of the Information system?\u00a0 - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Image_couverture.jpg","datePublished":"2025-09-16T08:49:14+00:00","dateModified":"2026-04-29T12:44:50+00:00","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Image_couverture.jpg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/09\/Image_couverture.jpg","width":2000,"height":2000,"caption":"CI\/CD : la nouvelle pierre angulaire du SI ?\u00a0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"CI\/CD: the new cornerstone of the Information system?\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/b6d3a771a2e0ef3ff789b33e391d10a0","name":"Alexandre GUY","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/alexandre-guy\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/27556","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1539"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=27556"}],"version-history":[{"count":10,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/27556\/revisions"}],"predecessor-version":[{"id":27570,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/27556\/revisions\/27570"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/27549"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=27556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=27556"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=27556"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=27556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}