Green Checkmarks, Red Flags - What CI/CD Can't Catch

Explore the critical limitations of CI/CD automation in this 26-minute conference talk that examines what continuous integration and deployment pipelines cannot detect or prevent. Analyze real-world security incidents, including the March 2024 XZ Utils backdoor attack, to understand how sophisticated threats can bypass automated testing and green checkmarks. Investigate the human factors that contribute to CI/CD vulnerabilities, including social engineering tactics, review fatigue, and organizational pressures that prioritize speed over thorough security analysis. Learn about the disconnect between automated validation and actual software quality, examining how malicious actors exploit trust relationships and overwhelmed review processes. Discover a comprehensive solutions framework that addresses review practices, organizational culture, and technical safeguards to enhance CI/CD security. Examine strategies for building resilient software development processes that combine automation benefits with human oversight, including techniques for extending CI/CD pipelines with additional security layers and improving code review effectiveness in high-pressure development environments.