Continuous Integration (CI) is a software development practice which merges copies of user codes into a main streamline multiple times a day. Each iteration of a “check in” by a user is run through build automation and verified. This is quite a departure from traditional software development practice and is something that is quickly becoming mainstream. Even though CI methodology was introduced in 2001, majority of the organizations opted for conventional development life cycle. However the trend is changing fast and based on a 2013 study conducted by Actuation Consulting Research it states that at least 74% software organizations are using CI methodology.
CI methodology presents security challenges where it’s not feasible to conduct security scans at the end of sprint or when an internal release (IR) is scheduled. For example typically a static scan may be executed on the binary files to detect for vulnerabilities. The main issue arises because CI by it’s definition is “Continuous” and security scans should be build into the CI process. When static scans are integrated in CI build, this is where Continuous Integration meets Application Security. The end goal is to make the process effective and detect security vulnerabilities as soon as possible. If any vulnerabilities are found as part of a CI build, it will be rejected and notified to the development team.
So how do we go about automating this process? Organizations like Vera Code, Core Security and Check Marx provide APIs that the development groups can integrate as part of the CI process. As soon as the build is completed the binaries are send to the Vendor platform via APIs which scans them for vulnerabilities. If any vulnerabilities are found the build is rejected and proper notifications are sent out.
The benefits are obvious. The security vulnerabilities are detected as soon as the code is completed by the developer and checked in. The developers are informed right way that what you checked in doesn’t meet security best practices and must be addressed before it even goes into the application. Fixing issues while the code is still in development is quick and cost effective.