By Raj Srinivas, CTO, SecureKloud Technologies Limited
Typically, customers use cloud infrastructure to develop and deploy applications and services securely. DevOps defines the complete life cycle process of development, deployment and operations of an application in a cloud setup. It not only covers the application development areas of inception, design, build, test, but also covers operational areas of release, deploy, operate and monitor, and any support & maintenance needed for the application on a continuous basis.
DevSecOps defines the application of security processes/protocols, security software at every stage of the DevOps processes defined above, so application and associated infrastructure security is taken care of right from the inception stage until maintenance stage without any hitch on a continuous basis through automation.
Before we dive into the technical nature of DevSecOps, I just want to emphasize the mindset of the development, operations and security staff needed to accomplish efficacy in the DevSecOps Methodologies. Since Continuous Secure Integration and Continuous Secure Delivery (CI/CD) is a collective responsibility of all teams concerned and can only solely be accomplished with application of the right processes and technology, every DevSecOps team member should be selfless with a mindset of executing the shared responsibilities of security & development and deployment expected of them in an uncompromising manner. The reason being, since an agile environment is envisioned here, all parties have to be quick enough to identify and meet their end of responsibilities in order to keep the automatic CI/CD pipeline constantly synched up for the cloud application and associated infrastructure to be delivered continually.
So, what is a CI/CD pipeline? CI/CD pipeline is a set of processes that needs to be followed to successfully deliver a set of software functionalities of an application reliably and frequently to different cloud environments like Dev, QA & Production. Effective Automation of these set of processes (with the help of software tools) will determine the efficacy of the CI/CD pipeline. CI Automation involves taking each unit of the software development process like Design, Code, Build & Test and integrating the appropriate software plugins needed for each of these functions to be performed seamlessly to form a virtual digital pipeline.
This will enable the functions to be performed one after the other automatically by effective triggers that are setup in the pipeline. The primary requirement is a repository or a version control software that is needed to store the source code or other artifacts like design document, unit test results, security tests, vulnerability tests, penetration tests, threat assessments etc., that is delivered for each release by the appropriate teams. The time between 2 releases could be as short as a few hours to as long as few weeks.
Once the code is committed by the development team in the version control repository for a particular release, build process is triggered after which automation test scripts (through the right automation tools) can be executed as part of a continuous test process in the pipeline. Any failure at this stage is fed back to the development team to fix. Please note that at this point any relevant unit tests and other security and automated tests related to previous set of features (from previous releases) will also be going through the auto test cycle in the CI process to ensure there are no software feature breakages. This process is repeated in the pipeline controlled and orchestrated by the software tools (that are configured by humans to automatically do their jobs) until the release is good to go.
Now the CD (Continuous Delivery) portion of the pipeline is activated. By CD we mean taking the compiled and tested application binaries and transporting them to the right webserver, database, application server or any other server in the cloud. These cloud servers could be part of the various environments like Development, QA and Production or any such. Again, appropriate deployment scripts based on cloud environment variables, deployed at each of the CD pipeline junctions ensures that the software plugins responsible for the CD process execute these scripts and make sure the software release gets deployed in the right servers in the right environment flawlessly and automatically.
After the release is delivered the operations teams takes over to monitor, support and maintain the service features of the application again through automatic tools that can aid in each of these functions. Monitoring tools that do port scanning, vulnerability assessments, penetration tests, service level monitoring, server performance monitoring etc. can be integrated to make sure the operational pipeline can be well maintained. Any critical bugs reported at this stage can trigger a quick release of the software through the CI/CD pipeline once again from the beginning stage, since all the automation tools, processes in the pipeline are in place for a quick release and delivery. The critical bug that is addressed could be functionality, feature or even a security loophole that was found out by the continuous monitoring process.
Please note that since security is of paramount importance any security related tests are induced into the pipeline from release 1 of the application itself. It could be a release with only a few features, but still all the security protocol/threat related tests, vulnerability and penetration tests are triggered even from this early stage itself. By adapting to the burden of security early in the process, a holistic approach to all DevSecOps Methodologies is carried out and it will pay rich dividends when future mature releases of the application are carried out to different cloud environments, both from infrastructure security and application security standpoints.
Thus, we see that there is a distinct advantage in maintaining a CI/CD pipeline that addresses all the DevSecOps methods in order to perform quick and reliable software releases in the cloud. The primary idea behind shorter cycles of delivery is to ensure there are less defects and software merge issues during development. Precisely defined processes, the right kind of tools/plugins and dedicated set of team members to setup the automation CI/CD pipeline, have provenly resulted in optimal development & service delivery of secure cloud application and infrastructure.