kevin glavin - continuous integration, continuous delivery, and deployment (ci/cd2)
TRANSCRIPT
![Page 1: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/1.jpg)
Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)
An open source toolchain
March 2016
Kevin Glavin
![Page 2: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/2.jpg)
Who am I?
Kevin Glavin
@archen
Developer
Software security nerd
![Page 3: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/3.jpg)
Who are you?
Developers?
DevOps?
Security?
Managers / Business?
![Page 4: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/4.jpg)
Modern SDLC
Each code change is its own deployment.
Goal is to boil down to shorter development cycle times.
Faster cycle times make working features available more quickly.
Increased feedback improves quality.
Restricting the scope of each deployment reduces risks.
![Page 5: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/5.jpg)
What does CI/CD2 success look like?
Identifying vulnerabilities and planning for remediating or mitigating without impacting the deployment machine
Creating a culture of security that does
not inhibit the existing pipeline but
supports it
Building security into existing build,
delivery, deployment pipelines
Shifting the secure mindset to risk
management (don’t stop the process).
![Page 6: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/6.jpg)
So what about this toolchain?
To achieve CI/CD2 speed and quality, organizations need to seamlessly connect processes and tools into a toolchain that eliminates bottlenecks, manual steps and errors.
![Page 7: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/7.jpg)
Components of a toolchainToolchain links Tools
Orchestration and Deployment Pipeline Visualization
Jenkins (with plugins or through Cloudbees), ThoughtWorks Go, Atlassian Bamboo
Version Control Git, Mercurial, Perforce, Subversion, TFS
Continuous Integration Jenkins, Travis CI, ThoughtWorks GO, CircleCI, JetBrains TeamCity, Atlassian Bamboo, Gitlab CI
Artifact Management Archiva, Artifactory, Nexus, OR roll-your-own with zip files, metadata, shared storage, and access controls
Test and Environment Automation
JMeter, Selenium/WebDriver, Cucumber (BDD), RSpec (BDD), SpecFlow (BDD)
Server Configuration and Deployment
Capistrano, Fabric, ThoughtWorks Go, MSdeploy, Octopus, RunDeck
Monitoring and Reporting Collectd, Ganglia, Graphite, Icinga, Sensu, ScriptRock
• There is a need to take each isolated processes and integrate together
• There is a need to overlay / integrate application security into the toolchain without impacting the time to develop and deploy
![Page 8: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/8.jpg)
Code development related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
![Page 9: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/9.jpg)
Code development related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
• Eclipse IDE• NetBeans• JetBrains IDEs• Visual Studio
![Page 10: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/10.jpg)
Code commit related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
• Git• Mercurial• Apache Subversion (SVN)• Concurrent Versions System
(CVS)
![Page 11: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/11.jpg)
Build automation-related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
• Apache Ant• Maven• Gradle• NAnt• Shell Scripts
![Page 12: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/12.jpg)
SAST-related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
• FindBugs• PMD• Google CodePro
Analyix • Brakeman • Cppcheck• CodeNarc
• Pylint• Bandit• HP Fortify• IBM’s AppScan
Source• Codiscope
![Page 13: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/13.jpg)
DAST-related tools
SAST(Deeper
level)
Code development Code
commit Build scripts
Systematic tests
Prerelease
Production
Unit tests
Code complete
Code Checking
/SAST SAST(manual
emphasis)
DASTPen testing
DASTPen testingBug bounty
API
API
API
API
API A
PI
API
API
API
API
API
API
• OWASP ZAP• Arachni• IBM AppScan
Standard• HP WebInspect
![Page 14: Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (CI/CD2)](https://reader035.vdocuments.site/reader035/viewer/2022062310/588036101a28ab9f0f8b7469/html5/thumbnails/14.jpg)
Questions?