What is continuous integration?
Continuous integration (CI) is a development practice where development teams make small, frequent changes to code. An automated build verifies the code each time developers check their changes into the version control repository. As a result, development teams can detect problems early. According to InfoWorld, the goal of CI is “to establish a consistent and automated way to build, package, and test applications, leading to better software quality.” Co-author of “Continuous Integration: Improving Software Quality and Reducing Risk” Paul Duvall notes that best practices of CI include:
- Frequent code commits
- Developer test categorization
- A dedicated integration build machine
- Continuous feedback mechanisms
- Staging builds
Continuous integration is the first part of CI/CD, a practice that enables application development teams to release incremental code changes to production quickly and regularly.
How to secure continuous integration
CI/CD focuses on speed in the software development and deployment process. Security traditionally does not. The challenge is to secure CI without affecting the speedy delivery of software. That’s where DevSecOps comes in. DevSecOps build on the idea that “everyone is responsible for security” with the goal of safely distributing security decisions at speed and without sacrificing the safety required.
Static application security testing (SAST) is a testing methodology that analyzes source code to find security vulnerabilities that make your organization’s applications susceptible to attack. Because SAST takes place very early in the software development life cycle (SDLC), it helps developers identify vulnerabilities in the initial stages of development and quickly resolve issues without breaking builds or slowing the path to the final release of the application.
Similarly, software composition analysis (SCA) helps organizations build application security into their CI/CD pipeline. SCA provides a comprehensive solution for early management of risk that comes from the use of open source and third-party code in applications and containers.