Continuous Integration

According to InfoWorld, the goal of CI is “to establish a consistent and automated way to build, package, and test applications, leading to better software quality.” Co-author of “Continuous Integration: Improving Software Quality and Reducing Risk” Paul Duvall notes that best practices of CI include:

• Frequent code commits
• Developer test categorization
• A dedicated integration build machine
• Continuous feedback mechanisms
• Staging builds

CI/CD focuses on speed in the software development and deployment process. Security traditionally does not. The challenge is to secure CI without affecting the speedy delivery of software. That’s where DevSecOps comes in. DevSecOps build on the idea that “everyone is responsible for security” with the goal of safely distributing security decisions at speed and without sacrificing the safety required.

Static application security testing (SAST) is a testing methodology that analyzes source code to find security vulnerabilities that make your organization’s applications susceptible to attack. Because SAST takes place very early in the software development life cycle (SDLC), it helps developers identify vulnerabilities in the initial stages of development and quickly resolve issues without breaking builds or slowing the path to the final release of the application.

Similarly, software composition analysis (SCA) helps organizations build application security into their CI/CD pipeline. SCA provides a comprehensive solution for early management of risk that comes from the use of open source and third-party code in applications and containers.