A CISO perspective: how Gitpod helps increase developer security without compromising productivity
Organizations face a fundamental conflict where security measures often directly impede developer productivity. Gitpod transforms security from a productivity blocker into an automated, integrated part of the development workflow. Instead of security and productivity being at odds, they become complementary through automated, standardized, and ephemeral environments.
In this meta report, we highlight 10 of Gitpod’s security benefits and how our customers in regulated industries use them.
Customer case studies covered in this report Pension Co. (Anonymized): a leading European insurer specializing in securing and managing pension schemes for long-term stability. Wealth Co. (Anonymized): a US financial technology company offering personal loans and credit solutions to help individuals achieve financial wellness. Data Co. (Kingland): a US technology firm providing data management, regulatory compliance, and analytics solutions for financial and other regulated industries. Energy Co. (Luminus): a leading European energy company providing innovative and sustainable power solutions across diverse markets. |
1. Reducing attack surface area
Ephemeral development environments that automatically destroy and recreate clean workstations eliminate persistent attack vectors and contain potential security breaches within isolated, temporary environments. Additionally, advanced networking and access configuration gives fine-grained control over resources accessed over the network and can re-use existing cloud infrastructure such as firewalls and identity providers.
Data Co. ensures short-lived ephemeral workspaces that automatically destroy environments as compared to their previously long-lived and stateful environments: “The best way to handle that security posture is to not have environments that are alive for long enough to get compromised.”
Pension Co. implements “deny by default” firewall rules, adjusted with exemptions only for specific trusted services like Okta, GitLab, and AWS endpoints.
Wealth Co. eliminates environment drift ensuring developers are using latest patched and hardened dependencies through standardized containers, reducing configuration vulnerabilities.
Evidence with Gitpod: Environments are ephemeral by design. All workstations are containerized and isolated. Automated cleanup removes all compute resources, dependencies, and local changes when destroyed. Learn more about ephemeral environments, zero-trust environments, and how we built our security architecture.
2. No code stored on local devices
All source code remains in your cloud rather than on developer machines, eliminating risks of code exfiltration through lost, stolen, or compromised devices.
Data Co. emphasizes physical security: “if somebody compromises their physical laptop, it doesn’t matter because no code is stored on their device.”
Energy Co. configured their development environments to connect to their sensitive data sources in S3 with VPC endpoints explicitly “ensuring users cannot download data on personal devices.”
Evidence with Gitpod: All development happens in cloud workspaces. Code remains in customer’s AWS account, accessed directly from source control. No local caching or storage of source code. Learn more about Gitpod Enterprise security and privacy documentation.
3. Fine-grained access control via SSO, SCM and OIDC
Single sign-on integration enables granular access control across all development resources while adhering to the principle of least privilege. All access to source code mirrors any existing security and identity controls in source control providers. Access to cloud identity tokens is using fine-grained OIDC configurations with temporary access tokens.
Pension Co. ensures their GitLab configurations remain as their source of truth for access: “Any development environment started in Gitpod must also have access to the respective GitLab repository.”
Energy Co. implements across AWS and GitLab “fine-grained permissions set so that they [developers] only access the data they need.”
Evidence with Gitpod: Integrates with enterprise SSO providers, inherits repository permissions from source control system, supports role-based access control, and enables project-based isolation. Learn more about modeling identity and access management with Gitpod.
4. VDI replacement
Purpose-built cloud development environments provide stronger security isolation than traditional VDI while maintaining compliance requirements for regulated industries.
Pension Co. simplified their Citrix VDI and improved environment performance to perform resource intensive security scanning and development workloads simultaneously. “Security scanners are installed but no longer disrupt development flows in ‘delaying every system process launch’.”
Energy Co. reduced environment startup from “22 hours to seconds” compared to their traditional environment setup.
Wealth Co. eliminated “additional workarounds to ensure alignment between development and production.”
Evidence with Gitpod: Gitpod meets many of the requirements that a VDI does for software development, without the headache to developers. Learn more about how to use CDEs and VDI together or ultimately, why replacing VDI will improve developer productivity without impacting security.
5. Automated secrets management with OIDC
OpenID Connect integration with AWS ensures development environments automatically fetch temporary and fine-grained AWS credentials and other secrets through managed authentication flows, eliminating manual secret distribution and reducing risk of exposure.
Wealth Co. notes that “users installed the Gitpod extension, automated secrets into their development environments.”
Data Co. implements Gitpod’s OpenID Connect Integration with AWS allowing developers to “just run a notebook in Gitpod, and it’s immediately connected to your data.”
Pension Co. deployed with controlled access using AWS IAM roles in their AWS account in conjunction with their private VPC.
Evidence with Gitpod: Integrated secrets management through environment variables, secure storage of credentials, automatic cleanup of secrets in ephemeral environments. Learn more about integrating with any OIDC provider and securely fetching AWS credentials with OIDC.
6. Secure sandboxes for AI assistants and agents
Evidence with Gitpod: Running agents / any AI initiative through Gitpod provides a sandboxed environment. Everything the agent does is contained within the Gitpod configured workstations that can be easily monitored and secured. To learn more see automating GPU development using Gitpod, and how to use Gitpod with Amazon Q.
7. Speeding up compliance audits
Standardized, automated development environments with consistent security controls streamline compliance audits and security reviews.
- Data Co. maintains compliance with “SOC2, ISO 27001 and NIST” through standardized environments.
Evidence with Gitpod: Standardized environments make aligning to compliance requirements quicker, and cleaning up environments faster with global controls.
8. Onboarding / offboarding contractors
Instant provisioning and revocation of development environments enables secure contractor management without exposing internal systems or requiring device management.
Wealth Co. supports “large share of external contractors” and BPOs with distributed teams globally.
Energy Co. enabled BYOD consultants to “connect securely through single sign-on” without mandating VPN installation.
Evidence with Gitpod: Automated environment provisioning, standardized setups, immediate access removal, clear audit trails for contractor activity. Read about onboarding contractors with Gitpod.
9. Cost savings compared to traditional solutions
Cloud development environments provide better security controls at a lower cost per hour compared to traditional VDI and cloud remote development solutions.
Energy Co. saved “$36,000 annual savings from SageMaker replacement.”
Data Co. eliminated “thousands of hours” of environment management overhead compared to previous Vagrant setup.
Pension Co. notes “VDIs actually would cost more per hour than the Gitpod environments.”
Evidence with Gitpod: On average, Gitpod + additional infrastructure costs are 60% less than VDI costs, delivering an immediate ROI of over 150%. See Gitpod’s ROI calculator.
10. Zero-trust architecture
With granular access controls and no persistent state implements zero-trust security principles for development infrastructure.
Pension Co. implements network-level zero-trust with “deny by default” firewall rules with explicit service allowances.
Data Co. enforces “ephemeral workspaces” with no persistent access.
Evidence with Gitpod: Workstations are built with a zero-trust architecture. Every access request requires authentication, environments are isolated and ephemeral, all connections are encrypted, no implicit trust zones. More details on how we built the zero-trust architecture here.