View
597
Download
0
Category
Preview:
Citation preview
Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)
An open source toolchain
March 2016
Kevin Glavin
Who am I?
Kevin Glavin
@archen
Developer
Software security nerd
Who are you?
Developers?
DevOps?
Security?
Managers / Business?
Modern SDLC
Each code change is its own deployment.
Goal is to boil down to shorter development cycle times.
Faster cycle times make working features available more quickly.
Increased feedback improves quality.
Restricting the scope of each deployment reduces risks.
What does CI/CD2 success look like?
Identifying vulnerabilities and planning for remediating or mitigating without impacting the deployment machine
Creating a culture of security that does
not inhibit the existing pipeline but
supports it
Building security into existing build,
delivery, deployment pipelines
Shifting the secure mindset to risk
management (don’t stop the process).
So what about this toolchain?
To achieve CI/CD2 speed and quality, organizations need to seamlessly connect processes and tools into a toolchain that eliminates bottlenecks, manual steps and errors.
Components of a toolchainToolchain links Tools
Orchestration and Deployment Pipeline Visualization
Jenkins (with plugins or through Cloudbees), ThoughtWorks Go, Atlassian Bamboo
Version Control Git, Mercurial, Perforce, Subversion, TFS
Continuous Integration Jenkins, Travis CI, ThoughtWorks GO, CircleCI, JetBrains TeamCity, Atlassian Bamboo, Gitlab CI
Artifact Management Archiva, Artifactory, Nexus, OR roll-your-own with zip files, metadata, shared storage, and access controls
Test and Environment Automation
JMeter, Selenium/WebDriver, Cucumber (BDD), RSpec (BDD), SpecFlow (BDD)
Server Configuration and Deployment
Capistrano, Fabric, ThoughtWorks Go, MSdeploy, Octopus, RunDeck
Monitoring and Reporting Collectd, Ganglia, Graphite, Icinga, Sensu, ScriptRock
• There is a need to take each isolated processes and integrate together
• There is a need to overlay / integrate application security into the toolchain without impacting the time to develop and deploy
Code development related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
Code development related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
• Eclipse IDE• NetBeans• JetBrains IDEs• Visual Studio
Code commit related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
• Git• Mercurial• Apache Subversion (SVN)• Concurrent Versions System
(CVS)
Build automation-related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
• Apache Ant• Maven• Gradle• NAnt• Shell Scripts
SAST-related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
• FindBugs• PMD• Google CodePro
Analyix • Brakeman • Cppcheck• CodeNarc
• Pylint• Bandit• HP Fortify• IBM’s AppScan
Source• Codiscope
DAST-related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
• OWASP ZAP• Arachni• IBM AppScan
Standard• HP WebInspect
Questions?
Recommended