The adoption of DevOps increased from 66 percent in 2015 to 74 percent in 2016 and the trend shows no sign of slowing down in 2017.
As more enterprises expand their teams working on continuous integration (CI), deployment, and delivery, there is an increasing demand to find the best solution to fit their deployment needs.
Read on to understand the benefits of Bamboo and Jenkins, two of the leading platforms for CI deployment and delivery, as well as the options available for implementing security through static code analysis in both of these solutions.
Bamboo is a continuous integration server from Atlassian. Its purpose is to provide developers with an environment which quickly compiles code for testing so that release cycles can be quickly implemented in production, while giving full traceability from the feature request all the way to its deployment.
Jenkins is a simple application designed to keep an eye on a series of executions in a software environment. For example – it works like ‘Cruise Control’ and offers a single simple use continuous system for integration. Developers can then execute test cycles more easily and the latest build can be quickly and efficiently delivered to users.
Atlassian’s Bamboo really shines for developers who are using other Atlassian products such as Jira and Stash. Bamboo is also quite easy to use and supports Continuous Integration to Continuous Delivery.
More reasons to love Bamboo. Source; https://www.slideshare.net/AnnaIoceva/bamboo-presentation-annie-v2-46082758
Veteran Bamboo user Richard Cross outlines below what he considers to be some of the biggest benefits of using Bamboo:
As an open source solution, Jenkins shines for anyone developing on a budget and is a simple and standalone continuous integration tool that is backed by a really supportive community.
Jenkins’ enthusiastic open source backers power the over 1,500 Jenkins community contributed plugins which are available here. These plugins enable users to better build, support and automate their many projects.
The Jenkins wiki includes a number of further reasons why Jenkins should be the build management solution of choice for developers. These arguments include the adoption statistics (detailed Jenkins statistics usage can be viewed here) which point to a major shift for developers from other platforms to Jenkins. Additionally, the team that had been developing Hudson (the project that Jenkins was forked from after a dispute with Oracle) is now working on the Jenkins core.
As mentioned earlier, the Jenkins community shines through their plugin development and most of the plugin developers have chosen to stay with the Jenkins project which means that improvements and bug fixes can be expected for many of the most used plugins.
When it comes to implementing security through Static Code Analysis in build management plugins such as Bamboo and Jenkins, there is no built in, native functionality, meaning developers will need to consider the use of a 3rd party static code analysis in order to ensure that their static code analysis is conducted correctly and seamlessly.
One question that users of both Jenkins and Bamboo have often raised is how to implement static code analysis in a build management environment.
The good news is that today’s leading Static Code Analysis (SCA) solutions (belonging to the SAST methodology) integrate with Bamboo out of the box to provide high quality static code analysis in a smooth, simple to operate environment. Developers can quickly integrate their testing with a fast compilation environment for higher levels of certainty that their code is fit for purpose. Developers can then concentrate on the advantages of the aforementioned code scanners to deliver prompt reporting regarding vulnerabilities and flaws in code. You can simply produce a high-level vulnerability report which is linked to a color coded HTML report that identifies the specific areas of code in which the vulnerabilities exist – to apply a fix. It’s also simple to set thresholds for failure and ensure that flawed code doesn’t move into production.
Alternatively, when you’re running Bamboo Static Code Analysis, you can report on the historical variation between builds. This means you can identify specific areas in the code or specific coders that are causing vulnerabilities. It’s also much easier to determine whether subsequent releases are becoming more or less stable. It’s not difficult to customize reporting so that you can see exactly what is relevant to your development team. You’ll be able to have more secure releases in a faster life cycle – which saves you time and resources.
Jenkins has no facility for static code analysis within the application environment. It’s used for continuous build environments and to keep an eye on jobs running externally from an environment to report on outputs from those jobs. This can be frustrating for developers who would like to use Jenkins for its automation facility but are also looking for the application to assist with the security testing of their code.
It’s OK. Jenkins does support static code analysis from other packages. A plugin is used to capture the results and to parse them. Once these results are passed to Jenkins, the application enables the results to be visually represented in a consistent manner. Jenkins can report on the warnings generated by a build, deliver trend reporting that shows the level of warnings generated by subsequent builds, granular reporting (module, type, package, etc.) for warnings, severity reports, an HTML comparison of source and warnings, stability reporting, project health reporting, scoring for builds that are “warning free”, e-mail reports, etc. There is also support for a remote API so that the plugin can be simply integrated into Jenkins without hours of development time wasted on facilitating that integration.
The good news is that to enable Jenkins static code analysis, leading SCA vendors provide an out of the box integration with Jenkins to generate all these reports. Make sure this box is ticked before you purchase and invest in a static code scanner. Stay safe!
Read our whitepaper “The AppSec How To: Application Security in Continuous Integration” here.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.