Harish Krishnan and Vasantharaju M S, Intel Corporation
Continuous Integration (CI) is not specific to extreme programming anymore, and most organizations which follow any form of Agile practice for product development adopt CI. The two major benefits that organizations derive from CI are build verification, and test automation. Test automation in CI usually covers Unit Testing, Functional Testing, Integration Testing, etc. Every check-in a developer makes is tested automatically to make sure the build is verified and functional. But what about the security of the product?
In most cases, security testing is not automated, but performed manually on a milestone build or, worse, at the
end of project. As the number of companies offering Software as a Service (SaaS) grows, and reliance on a Continuous Deployment or Continuous Delivery pipeline increases, every change can be potentially deployed to production. There is a pressing need to do security testing more often or, better yet, on every change.
What if you could run security test cases, security scanners and other security related build verifications during CI? This is where Continuous Integration meets Application Security. For example, static code analysis with security checkers or a defense to specific vulnerabilities like Blind SQL Injection, XSS can be verified in integration testing or an audit for vulnerable 3rd party libraries can be conducted on top of build created by CI. Automating security testing in Continuous Integration builds leverages the integration testing platform provided by CI, to ensure application security. Of course, we can only deliver secure solutions as fast as we can test them. Adding security testing to your existing CI capabilities will help in achieving this goal.
This paper covers the prerequisites, processes and tools required to automate security testing in Continuous Integration based on our learning and experience.