Continuous Delivery is a software engineering technique where a chain of integration phases are applied with the sole purpose to deliver stable software releases to customers. Continuous Delivery ensures that all software parts are integrated frequently and fully tested, resulting into faster release cycles and a better quality products.
The Continuous Delivery process is analogous to the assembly line. Code is initially checked into a revision control system. A series of automated integration phases are initiated to build the software, perform static analysis and dependency resolution, execute unit tests and finally deploy the product into a pre-production or a production environment. If any of these integration phases fail, the Continuous Delivery pipeline is stopped. Updates and fixes are applied and the process is repeated from the start.
During the test phases an automated security testing solution can be used to identify vulnerabilities. If a critical vulnerability is identified the process is stopped and feedback delivered to the development team. The pipeline cannot complete before the critical issues are fixed, therefore ensuring better security.
Automated security solution suitable for a Continuous Delivery pipeline come in two distinct flavors: static (white-box) and dynamic (black-box). Static analyzers typically work on the application source code. Dynamic analyzers perform real-time tests simulating an actual attack. Both types of tools have advantages and disadvantages and should be always used together and in combination with other tools for a complete coverage.