Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)

An open source toolchain

March 2016

Kevin Glavin

Who am I?

Kevin Glavin

@archen

Developer

Software security nerd

Who are you?

Developers?

DevOps?

Security?

Managers / Business?

Modern SDLC

Each code change is its own deployment.

Goal is to boil down to shorter development cycle times.

Faster cycle times make working features available more quickly.

Increased feedback improves quality.

Restricting the scope of each deployment reduces risks.

What does CI/CD2 success look like?

Identifying vulnerabilities and planning for remediating or mitigating without impacting the deployment machine

Creating a culture of security that does

not inhibit the existing pipeline but

supports it

Building security into existing build,

delivery, deployment pipelines

Shifting the secure mindset to risk

management (don’t stop the process).

So what about this toolchain?

To achieve CI/CD2 speed and quality, organizations need to seamlessly connect processes and tools into a toolchain that eliminates bottlenecks, manual steps and errors.

Components of a toolchainToolchain links Tools

Orchestration and Deployment Pipeline Visualization

Jenkins (with plugins or through Cloudbees), ThoughtWorks Go, Atlassian Bamboo

Version Control Git, Mercurial, Perforce, Subversion, TFS

Continuous Integration Jenkins, Travis CI, ThoughtWorks GO, CircleCI, JetBrains TeamCity, Atlassian Bamboo, Gitlab CI

Artifact Management Archiva, Artifactory, Nexus, OR roll-your-own with zip files, metadata, shared storage, and access controls

Test and Environment Automation

JMeter, Selenium/WebDriver, Cucumber (BDD), RSpec (BDD), SpecFlow (BDD)

Server Configuration and Deployment

Capistrano, Fabric, ThoughtWorks Go, MSdeploy, Octopus, RunDeck

Monitoring and Reporting Collectd, Ganglia, Graphite, Icinga, Sensu, ScriptRock

• There is a need to take each isolated processes and integrate together

• There is a need to overlay / integrate application security into the toolchain without impacting the time to develop and deploy

Code development related tools

SAST(Deeper

level)

Code development Code

commit Build scripts

Systematic tests

Prerelease

Production

Unit tests

Code complete

Code Checking

/SAST SAST(manual

emphasis)

DASTPen testing

DASTPen testingBug bounty

API

API

API

API

API A

PI

API

API

API

API

API

API

Code development related tools

SAST(Deeper

level)

Code development Code

commit Build scripts

Systematic tests

Prerelease

Production

Unit tests

Code complete

Code Checking

/SAST SAST(manual

emphasis)

DASTPen testing

DASTPen testingBug bounty

API

API

API

API

API A

PI

API

API

API

API

API

API

• Eclipse IDE• NetBeans• JetBrains IDEs• Visual Studio

Code commit related tools

SAST(Deeper

level)

Code development Code

commit Build scripts

Systematic tests

Prerelease

Production

Unit tests

Code complete

Code Checking

/SAST SAST(manual

emphasis)

DASTPen testing

DASTPen testingBug bounty

API

API

API

API

API A

PI

API

API

API

API

API

API

• Git• Mercurial• Apache Subversion (SVN)• Concurrent Versions System

(CVS)

Build automation-related tools

SAST(Deeper

level)

Code development Code

commit Build scripts

Systematic tests

Prerelease

Production

Unit tests

Code complete

Code Checking

/SAST SAST(manual

emphasis)

DASTPen testing

DASTPen testingBug bounty

API

API

API

API

API A

PI

API

API

API

API

API

API

• Apache Ant• Maven• Gradle• NAnt• Shell Scripts

SAST-related tools

SAST(Deeper

level)

Code development Code

commit Build scripts

Systematic tests

Prerelease

Production

Unit tests

Code complete

Code Checking

/SAST SAST(manual

emphasis)

DASTPen testing

DASTPen testingBug bounty

API

API

API

API

API A

PI

API

API

API

API

API

API

• FindBugs• PMD• Google CodePro

Analyix • Brakeman • Cppcheck• CodeNarc

• Pylint• Bandit• HP Fortify• IBM’s AppScan

Source• Codiscope

DAST-related tools

SAST(Deeper

level)

Code development Code

commit Build scripts

Systematic tests

Prerelease

Production

Unit tests

Code complete

Code Checking

/SAST SAST(manual

emphasis)

DASTPen testing

DASTPen testingBug bounty

API

API

API

API

API A

PI

API

API

API

API

API

API

• OWASP ZAP• Arachni• IBM AppScan

Standard• HP WebInspect

Questions?