Continuous integration (CI) has long left the stage of experimental practices and moved into mainstream software development. It is used everywhere from start-ups to large organisations, in a variety of technology stacks and problem domains, from web applications to embedded software.
However, the security implications of introducing CI are often overlooked or underestimated. There are whitepapers and advisories on this topic, but most are sales-oriented, promoting a specific tool or another form of silver bullet that will solve all of your security problems.
This paper focuses on technology and process changes involved in setting up a CI environment and aims to provide best practice guidance for introducing CI in to your secure software development life cycle (SDLC).