Continuous Integration : Building security into continuous integration starts with creating security-specific unit tests for critical section of code such as authentication, password management, validation routines and access control. Execute fast, accurate static and dynamic analysis scans for dangerous functions, OWASP Top 10 issues and vulnerable dependencies. Failed tests and high-risk vulnerabilities found in these scans should cause the build to fail and require immediate patches before deploying into a testing environment.
- Jenkins https://jenkins-ci.org
- Bamboo https://www.atlassian.com/software/bamboo
- Travis https://travis-ci.org
Continuous Delivery: Wiring automated security scanning into the contious delivery process allows in-depth static and dynamic testing to be completed. The scan results are fed through pre-defined acceptance criteria, with failures resulting in an unsuccessful build and deployment.
- Gauntlt: http:/gauntlt.org
- Mozilla Minon: htpps://wiki.mozilla.org/Security/Projects/Minion
- Yahoo Gryffin: https://github.com/yahoo/gryffin
Continuous Deployment: Allowing developers to automate the delivery of change into production requires additional compensating controls. Preform comprehensive audit logging to track the actions made and files viewed in production. Implement detective change control to log and review what files are modified. Encrypt confidential data in production and enable data loss prevention mechanism to stop unauthorized information disclosure.
- Go: http://www.go.cd/
- DeployIT: http://gallery.xebia.com/component/deployit
Infrastructure as Code: Writing code to manage the server’s infrastructure, configuration and environment allows new servers to be quickly configured. Store infrastructure code and data in version control to track the history of changes made to the environment. Perform security reviews of the manifests and cookbooks to ensure hardened baseline requirement are met.
- Puppet: https://puppetlabs.com
- Chef: https://www.chef.io
- Ansible: http://www.ansible.com
Container Security: Containers allow isolated images with an application and its dependencies to be quickly installed and executed . Use signed containers and verify the signatures to prevent tampered images from entering the environment. Isolate container images using a virtual machine or separate server and ensure the image runs as a non-privileged user account.
- Docker: https://docker.com
- Rocket: https://coreos.com/blog/rocket
- Twistlock : https://www.twistlock.com
- Windows Containers: https://msdn.microsoft.com/en-us/virtualization/wndowscontainers/containers_welcome