Weitere ähnliche Inhalte Ähnlich wie Building the Pipeline of My Dreams (20) Mehr von Gene Gotimer (20) Kürzlich hochgeladen (20) Building the Pipeline of My Dreams1. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 1@CoverosGene #AgileDC
Building the Pipeline
of My Dreams
Gene Gotimer
© COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #AgileDC
2. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 2@CoverosGene #AgileDC
About Coveros
• Coveros helps companies accelerate the delivery of secure, reliable software
using agile methods
• Services
• Agile Transformations & Coaching
• Agile Software Development
• Agile Testing & Automation
• DevOps and DevSecOps Implementations
• Software Security Assurance & Testing
• Agile, DevOps, Test Auto, Security Training
• Open Source Products
• SecureCI – Secure DevOps toolchain
• Selenified – Agile test framework
Areas of Expertise
3. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 3@CoverosGene #AgileDC
Selected Clients
4. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 4@CoverosGene #AgileDC
Delivery Pipeline
Process of taking a code change
from developers and getting it deployed
into production or delivered to the customer
automated,
manual, or
a mix
5. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 5@CoverosGene #AgileDC
Tests Your Pipeline Might Be Missing
• List of different types of tests to add to your pipeline
• Presented as a 10-minute lightning talk at AgileDC 2017
• Also, TestBash Philadelphia 2017 has longer version, full video
https://goo.gl/pyuvyL
6. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 6@CoverosGene #AgileDC
zap-sonar-plugin
• Integrates reports from OWASP ZAP into SonarQube
• Written by Steve Springett
https://github.com/Coveros/zap-sonar-plugin
7. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 7@CoverosGene #AgileDC
Challenges
• zap-sonar-plugin is a library
• Many of the system-level tests don’t apply
• Open-source
• Everything must be accessible from the Internet
• Nothing private
• Anyone should be able to contribute
• I’m cheap
• No recurring monthly charges, subscriptions
• Including VMs
• Must be easy
• Infrequent use means I’ll forget anything complicated
8. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 8@CoverosGene #AgileDC
Source Control
• Using GitHub
• Was already hosted on GitHub
• Would have considered GitLab if I wanted private
• Pull requests
• Issue tracker
• README.md rendering
• Wiki
9. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 9@CoverosGene #AgileDC
zap-sonar-plugin on GitHub
10. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 10@CoverosGene #AgileDC
Branching
• Usually I recommend Git Flow
• Flexible
• Supports most use cases
• Merge features to develop
• Release from master
• Switching to GitHub Flow
• Simpler
• No develop branch
• Pull requests merge to master
• Avoids extra merge from develop to master
https://guides.github.com/introduction/flow/
11. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 11@CoverosGene #AgileDC
Build System
• Using Maven
• Clear winner for Java
• Convention over configuration
• Everyone can use it immediately
• Excellent dependency management
• Lots and lots of plugins
• I recommend against Gradle
• Not because it is bad
• Because most projects don’t need it
https://maven.apache.org
12. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 12@CoverosGene #AgileDC
Continuous Integration
• Usually I recommend Jenkins
• Free, open source
• Commercial option available
• Lots and lots of plugins
• De facto standard
• Really, so many plugins
• Using TravisCI
• Free for open source, hosted
• Easy GitHub integration, badge
https://travis-ci.com
13. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 13@CoverosGene #AgileDC
Static Analysis
• Usually I recommend SonarQube
• Free, open source
• Lots of plugins
• Many languages supported
• De facto standard
• Using Codacy
• Free for open source
• Easy GitHub integration, badge
• Also trying Code Climate
• More specific on maintainability
https://www.codacy.com
https://codeclimate.com
14. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 14@CoverosGene #AgileDC
Libraries up-to-date
• Usually I recommend OWASP Dependency Check
• And OWASP Dependency Track
• My clients often use Sonatype Nexus Lifecycle
• Want to keep all security findings in house
• Using Sonatype DepShield
• Free for open source
• Currently Maven only
• npm and Python coming soon
https://depshield.github.io
15. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 15@CoverosGene #AgileDC
Repeatable, Reliable Deployments
• Usually I recommend Chef, Puppet, Docker
• Any of them work
• Automated deploys are a must have for a pipeline
• Using Docker
• Not deploying, just for testing
• zap-sonar-plugin is built into a SonarQube image
https://www.docker.com
• dockerfile-maven-plugin from Spotify
https://github.com/spotify/dockerfile-maven
16. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 16@CoverosGene #AgileDC
Functional Testing
• Normally I’d recommend smoke tests after every deploy
• To test the deploy
• In this case, the smoke tests = functional tests
• Load the Docker image
• Run Selenium tests
• Load known OWASP ZAP report
• Make sure expected data is displayed
• Not written yet
• Lots of excuses, but they just aren’t done
https://www.seleniumhq.org
17. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 17@CoverosGene #AgileDC
Security Testing
• Limited exposed interface
• No API to speak of
• Relying on
• Static analysis
• Library scanning
• Manual review
• But considering security on every change
• In case we need to do some real scanning
18. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 18@CoverosGene #AgileDC
Performance Testing
• Usually I recommend JMeter
• Free, open source
• Written in Java
• Not just for testing Java
https://jmeter.apache.org
• Not doing any performance tests
• Should measure load and parse times
• Not currently a concern
19. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 19@CoverosGene #AgileDC
Releasing
• Release means pushing to Central Repository
• maven-release-plugin
• To switch from -SNAPSHOT build to release
• maven-gpg-plugin
• To sign the release with my GPG private key
• Cannot easily be automated
• nexus-staging-maven-plugin
• To push to Central Repository
• Also publish library to GitHub releases
• Using TravisCI
20. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 20@CoverosGene #AgileDC
Future Work
• Add Selenium tests
• Add a performance baseline
• Full automated release
21. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 21@CoverosGene #AgileDC
#Coveros5
• Be flexible with tool selection.
Fill a role, don’t just use the tool.
• Not all pipelines are created equal.
Not all projects are the same.
• Easy of use is important if you don’t do it often.
Automation can be especially helpful.
• There are always trade offs.
Even when you only answer to yourself
22. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 22@CoverosGene #AgileDC
The pipeline is never done
A little better is
still better.
Keep improving.
23. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 23@CoverosGene #AgileDC
Questions?
Gene Gotimer
gene.gotimer@coveros.com
@CoverosGene
https://github.com/Coveros/zap-sonar-plugin