Developing a delivery pipeline means more than just adding automated deploys to the development cycle. To be successful, quality testing of all types must be incorporated throughout the process in order to be sure that problems aren’t slipping through. Those checks must include security, or else you risk quickly and efficiently developing insecure software. Fortunately, the delivery pipeline opens up opportunities to add more security testing to the delivery process.
Continuous integration builds can add static analysis tools to test for simple security errors and to check if components with known vulnerabilities are being used. Automated deploys can offer opportunities for automated application scans and scans of the entire system as it will be configured in production. I will introduce several types of open-source and free security testing tools, that can be quickly (and, if needed, quietly) added to a delivery pipeline, without waiting for or spending money on expensive security tools. That reduces the cost of the initial investment in terms of both time and money, and may eliminate some barriers to adding security testing to the process.
This session is aimed at people that are trying to build more security into their continuous delivery pipeline. I’ll walk through lessons learned building Continuous Delivery pipelines in different environments and experiences using specific open-source tools to supplement our security testing even when security wasn’t technically our responsibility.