Modern development organizations are increasingly using cloud computing attributes like elasticity, API-driven infrastructure as code (IaC), and native immutability for their DevOps and agile development practices. Through DevOps, organizations are seeing these outcomes:
In the many engagements in which we've helped customers migrate and develop applications in Oracle Cloud, I have found that security is often a critical missing element in customer DevOps processes. In these cases, security is treated like a siloed and gated activity which, when missed or applied too late, leads to missed project deadlines and vulnerable systems.
In this series of blog posts, I describe how you can help weave security into every aspect and phase of DevOps processes. First, let's focus on some key DevOps components.
Continuous integration (CI) is the process for quickly integrating new code into an existing software product. Activities are driven by workflows to implement, test, and merge features. A small set of features is added in the branch of the main source code. Those features are submitted for review and automated functional and unit tests. After successful testing, the code is merged with the main branch in the repository for deployment.
Continuous delivery (CD) is the process of using automation to deploy software into services that customers use. In the CD process, one step triggers the next. For example, merging code changes into the CI pipeline triggers the deployment of the updated software package on a new infrastructure. A successful deployment starts an automated testing cycle. When testing is complete, the infrastructure is promoted to a new staging environment where user acceptance testing (UAT) occurs. Successful UAT triggers the replication of this environment into production, and the staging and production infrastructures are destroyed.
The CD process is possible because of the automation of cloud IaaS attributes. Oracle Cloud Infrastructure exposes all the services to operators (and developers) through well-defined APIs and code. Oracle Cloud Infrastructure services also natively support open source provisioning tools like Terraform and Ansible. These tools help enable customer DevOps teams to programmatically construct immutable infrastructures by using code. This process makes the creation and destruction of environments through CI/CD pipelines not only possible programmatically but also reduces the number of errors compared to when it is done manually.
CI, CD, and IaC are integrated components of DevOps, whereas security teams are traditionally outside of DevOps, often not aligned with the software development teams. Security teams primarily interact with the operations teams, but that interaction can be periodic rather than continuous. While the operators focus on up time and response times, the security engineers generally focus on vulnerabilities and associated risks that might lead to compliance issues. Most of the time, the security teams react to incidents and various cyberthreats. On the surface, it’s difficult to integrate security with DevOps processes.
To successfully implement DevOps, developers and operators should work on the same team for the same development project. Similarly, to help secure DevOps, the security team should work closely with the developers and operators so that there is no barrier. To accomplish this, use automation, which is proving to be a great dissolver of silos. To make security an integral part of DevOps (as in DevSecOps or SecDevOps), the security team needs to build and test controls iteratively, in step with the new features being developed, integrated, or deployed using the CI/CD pipeline.
This cyclical process of running security tests throughout the lifecycle of the application is also referred to as a continuous security process.
Continuous security has three major pillars:
In this post, I covered the basics: the overall approach to CI, CD, and IaC, and then building security into DevOps by moving toward continuous security, which involves test-driven security, incident detection and response, and risk assessment.
In the next four parts, I'll explore the following topics:
For more information, see the Oracle Cloud Infrastructure documentation.
I’d like to extend a sincere thanks to Johnnie Konstantas for technical review.