Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building the Pipeline of My Dreams

42 views

Published on

I often suggest to teams that they should be using all sorts of tools in their pipelines- from simple static analysis checks and automated builds to security scans and performance testing. I've done presentations and talks at conferences. I've lobbied to clients. I've commiserated with my colleagues. But I've never put together my dream pipeline in one of my own projects.

There are always reasons that some tests and tools get left out- our policies won't allow them, they will take too long to get approved, we don't have time, we have bigger problems to deal with, it just isn't what the client is looking for right now. And I usually think, if only I were in charge, I'd make sure we were using those...

In late 2017 I took over maintenance on an open-source project. Now I have no restrictions. The sky's the limit. No one is around to tell me what I can't do. So why don't I have my dream pipeline in place yet?

I'll talk about the trade-offs and compromises I made when building out the pipeline. Why I decided to focus on some tools and tests but skipped others, and what I need to do or change to make this delivery process the pipeline I've always dreamed about, now that I have no one else to blame.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Building the Pipeline of My Dreams

  1. 1. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 1@CoverosGene #AgileDC Building the Pipeline of My Dreams Gene Gotimer © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED.@CoverosGene #AgileDC
  2. 2. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 2@CoverosGene #AgileDC About Coveros • Coveros helps companies accelerate the delivery of secure, reliable software using agile methods • Services • Agile Transformations & Coaching • Agile Software Development • Agile Testing & Automation • DevOps and DevSecOps Implementations • Software Security Assurance & Testing • Agile, DevOps, Test Auto, Security Training • Open Source Products • SecureCI – Secure DevOps toolchain • Selenified – Agile test framework Areas of Expertise
  3. 3. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 3@CoverosGene #AgileDC Selected Clients
  4. 4. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 4@CoverosGene #AgileDC Delivery Pipeline Process of taking a code change from developers and getting it deployed into production or delivered to the customer automated, manual, or a mix
  5. 5. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 5@CoverosGene #AgileDC Tests Your Pipeline Might Be Missing • List of different types of tests to add to your pipeline • Presented as a 10-minute lightning talk at AgileDC 2017 • Also, TestBash Philadelphia 2017 has longer version, full video https://goo.gl/pyuvyL
  6. 6. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 6@CoverosGene #AgileDC zap-sonar-plugin • Integrates reports from OWASP ZAP into SonarQube • Written by Steve Springett https://github.com/Coveros/zap-sonar-plugin
  7. 7. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 7@CoverosGene #AgileDC Challenges • zap-sonar-plugin is a library • Many of the system-level tests don’t apply • Open-source • Everything must be accessible from the Internet • Nothing private • Anyone should be able to contribute • I’m cheap • No recurring monthly charges, subscriptions • Including VMs • Must be easy • Infrequent use means I’ll forget anything complicated
  8. 8. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 8@CoverosGene #AgileDC Source Control • Using GitHub • Was already hosted on GitHub • Would have considered GitLab if I wanted private • Pull requests • Issue tracker • README.md rendering • Wiki
  9. 9. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 9@CoverosGene #AgileDC zap-sonar-plugin on GitHub
  10. 10. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 10@CoverosGene #AgileDC Branching • Usually I recommend Git Flow • Flexible • Supports most use cases • Merge features to develop • Release from master • Switching to GitHub Flow • Simpler • No develop branch • Pull requests merge to master • Avoids extra merge from develop to master https://guides.github.com/introduction/flow/
  11. 11. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 11@CoverosGene #AgileDC Build System • Using Maven • Clear winner for Java • Convention over configuration • Everyone can use it immediately • Excellent dependency management • Lots and lots of plugins • I recommend against Gradle • Not because it is bad • Because most projects don’t need it https://maven.apache.org
  12. 12. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 12@CoverosGene #AgileDC Continuous Integration • Usually I recommend Jenkins • Free, open source • Commercial option available • Lots and lots of plugins • De facto standard • Really, so many plugins • Using TravisCI • Free for open source, hosted • Easy GitHub integration, badge https://travis-ci.com
  13. 13. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 13@CoverosGene #AgileDC Static Analysis • Usually I recommend SonarQube • Free, open source • Lots of plugins • Many languages supported • De facto standard • Using Codacy • Free for open source • Easy GitHub integration, badge • Also trying Code Climate • More specific on maintainability https://www.codacy.com https://codeclimate.com
  14. 14. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 14@CoverosGene #AgileDC Libraries up-to-date • Usually I recommend OWASP Dependency Check • And OWASP Dependency Track • My clients often use Sonatype Nexus Lifecycle • Want to keep all security findings in house • Using Sonatype DepShield • Free for open source • Currently Maven only • npm and Python coming soon https://depshield.github.io
  15. 15. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 15@CoverosGene #AgileDC Repeatable, Reliable Deployments • Usually I recommend Chef, Puppet, Docker • Any of them work • Automated deploys are a must have for a pipeline • Using Docker • Not deploying, just for testing • zap-sonar-plugin is built into a SonarQube image https://www.docker.com • dockerfile-maven-plugin from Spotify https://github.com/spotify/dockerfile-maven
  16. 16. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 16@CoverosGene #AgileDC Functional Testing • Normally I’d recommend smoke tests after every deploy • To test the deploy • In this case, the smoke tests = functional tests • Load the Docker image • Run Selenium tests • Load known OWASP ZAP report • Make sure expected data is displayed • Not written yet • Lots of excuses, but they just aren’t done https://www.seleniumhq.org
  17. 17. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 17@CoverosGene #AgileDC Security Testing • Limited exposed interface • No API to speak of • Relying on • Static analysis • Library scanning • Manual review • But considering security on every change • In case we need to do some real scanning
  18. 18. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 18@CoverosGene #AgileDC Performance Testing • Usually I recommend JMeter • Free, open source • Written in Java • Not just for testing Java https://jmeter.apache.org • Not doing any performance tests • Should measure load and parse times • Not currently a concern
  19. 19. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 19@CoverosGene #AgileDC Releasing • Release means pushing to Central Repository • maven-release-plugin • To switch from -SNAPSHOT build to release • maven-gpg-plugin • To sign the release with my GPG private key • Cannot easily be automated • nexus-staging-maven-plugin • To push to Central Repository • Also publish library to GitHub releases • Using TravisCI
  20. 20. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 20@CoverosGene #AgileDC Future Work • Add Selenium tests • Add a performance baseline • Full automated release
  21. 21. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 21@CoverosGene #AgileDC #Coveros5 • Be flexible with tool selection. Fill a role, don’t just use the tool. • Not all pipelines are created equal. Not all projects are the same. • Easy of use is important if you don’t do it often. Automation can be especially helpful. • There are always trade offs. Even when you only answer to yourself
  22. 22. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 22@CoverosGene #AgileDC The pipeline is never done A little better is still better. Keep improving.
  23. 23. © COPYRIGHT 2018 COVEROS, INC. ALL RIGHTS RESERVED. 23@CoverosGene #AgileDC Questions? Gene Gotimer gene.gotimer@coveros.com @CoverosGene https://github.com/Coveros/zap-sonar-plugin

×