This document discusses Continuous Integration, Continuous Delivery, and Deployment (CI/CD2) and the components of an effective CI/CD2 toolchain. It describes the benefits of shorter development cycles through CI/CD2 practices and identifies some common tools used in each part of the development process, including version control, build automation, testing, security analysis, and deployment. The goal of an integrated toolchain is to seamlessly connect all processes and tools to eliminate bottlenecks and errors.
4. Modern SDLC
Each code change is its own deployment.
Goal is to boil down to shorter development cycle times.
Faster cycle times make working features available more quickly.
Increased feedback improves quality.
Restricting the scope of each deployment reduces risks.
5. What does CI/CD2 success look like?
Identifying vulnerabilities and planning for remediating or
mitigating without impacting the deployment machine
Creating a culture of
security that does
not inhibit the
existing pipeline but
supports it
Building security into
existing build,
delivery, deployment
pipelines
Shifting the secure
mindset to risk
management (don’t
stop the process).
6. So what about this toolchain?
To achieve CI/CD2 speed and
quality, organizations need to
seamlessly connect processes
and tools into a toolchain that
eliminates bottlenecks, manual
steps and errors.
7. Components of a toolchain
Toolchain links Tools
Orchestration and Deployment
Pipeline Visualization
Jenkins (with plugins or through Cloudbees),
ThoughtWorks Go, Atlassian Bamboo
Version Control Git, Mercurial, Perforce, Subversion, TFS
Continuous Integration Jenkins, Travis CI, ThoughtWorks GO, CircleCI,
JetBrains TeamCity, Atlassian Bamboo, Gitlab CI
Artifact Management Archiva, Artifactory, Nexus, OR roll-your-own with
zip files, metadata, shared storage, and access
controls
Test and Environment
Automation
JMeter, Selenium/WebDriver, Cucumber (BDD),
RSpec (BDD), SpecFlow (BDD)
Server Configuration and
Deployment
Capistrano, Fabric, ThoughtWorks Go, MSdeploy,
Octopus, RunDeck
Monitoring and Reporting Collectd, Ganglia, Graphite, Icinga, Sensu,
ScriptRock
• There is a need to take each isolated processes
and integrate together
• There is a need to overlay / integrate application
security into the toolchain without impacting the
time to develop and deploy
8. Code development related tools
SAST
(Deeper
level)
Code
development Code
commit Build
scripts
Systematic
tests
Prerelease
Production
Unit
tests
Code
complete
Code
Checking
/SAST
SAST
(manual
emphasis)
DAST
Pen testing
DAST
Pen testing
Bug bounty
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
9. Code development related tools
SAST
(Deeper
level)
Code
development Code
commit Build
scripts
Systematic
tests
Prerelease
Production
Unit
tests
Code
complete
Code
Checking
/SAST
SAST
(manual
emphasis)
DAST
Pen testing
DAST
Pen testing
Bug bounty
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
• Eclipse IDE
• NetBeans
• JetBrains IDEs
• Visual Studio
10. Code commit related tools
SAST
(Deeper
level)
Code
development Code
commit Build
scripts
Systematic
tests
Prerelease
Production
Unit
tests
Code
complete
Code
Checking
/SAST
SAST
(manual
emphasis)
DAST
Pen testing
DAST
Pen testing
Bug bounty
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
• Git
• Mercurial
• Apache Subversion (SVN)
• Concurrent Versions System
(CVS)
11. Build automation-related tools
SAST
(Deeper
level)
Code
development Code
commit Build
scripts
Systematic
tests
Prerelease
Production
Unit
tests
Code
complete
Code
Checking
/SAST
SAST
(manual
emphasis)
DAST
Pen testing
DAST
Pen testing
Bug bounty
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
• Apache Ant
• Maven
• Gradle
• NAnt
• Shell Scripts
12. SAST-related tools
SAST
(Deeper
level)
Code
development Code
commit Build
scripts
Systematic
tests
Prerelease
Production
Unit
tests
Code
complete
Code
Checking
/SAST
SAST
(manual
emphasis)
DAST
Pen testing
DAST
Pen testing
Bug bounty
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
• FindBugs
• PMD
• Google CodePro
Analyix
• Brakeman
• Cppcheck
• CodeNarc
• Pylint
• Bandit
• HP Fortify
• IBM’s AppScan
Source
• Codiscope
13. DAST-related tools
SAST
(Deeper
level)
Code
development Code
commit Build
scripts
Systematic
tests
Prerelease
Production
Unit
tests
Code
complete
Code
Checking
/SAST
SAST
(manual
emphasis)
DAST
Pen testing
DAST
Pen testing
Bug bounty
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
A
P
I
• OWASP ZAP
• Arachni
• IBM AppScan
Standard
• HP WebInspect