X

Integrating Security with DevOps on Oracle Cloud (Part 2 of 5)

This post is part 2 in our blog series about how we integrate security with a generic DevOps-based application development process. In part 1, we defined DevOps methodology and practices, focusing on how to integrate continuous security into the larger DevOps process to support continuous application development and operation.

In this post, we cover some of the fundamental infrastructure components, such as cloud firewall services, identity management services, and continuous patching without downtime.

Network and Application Security Services

When you develop an application, or add or remove features, it’s essential to ensure that only required TCP ports are open. Opening ports that aren’t required can lead to exploits and compromises caused by vulnerabilities in the OS or supporting applications. The following figure shows the danger of keeping TCP ports open and accessible to nontrusted networks.

Diagram courtesy of https://geekflare.com/port-scanner-server/

In the previous post, we talked about how to integrate continuous security testing in the CI/CD pipeline. Generally, you could use an NMAP-based scanning tool for your internet-facing applications.

Most of the time, you need to keep some of these less secure ports—such as 123 for NTP, 69 for TFTP, or 137 for NetBIOS—open for supporting services and the application to work correctly. But you should ensure that these ports aren’t exposed to nontrusted networks by using firewall services.

Use Firewalls to Restrict Access

In Oracle Cloud Infrastructure, firewall services aren’t treated as a separate security control. Instead, they are fundamental components that can be manipulated through Infrastructure as Code (IaC). When you are developing application features, you should programmatically update or modify these firewall parameters. Oracle Cloud Infrastructure firewall services provide port filtering at the virtual cloud network (VCN) subnet level (security lists) and microsegmentation within a subnet at the VNIC level (network security groups). These services have well-defined APIs and SDK support.

All the major security and firewall vendors have products certified on Oracle Cloud Infrastructure. Some of our major security partners in the firewall technology area are CheckPoint, Cisco, Palo Alto, Fortinet, A10, and Aviatrix. They all provide a solid set of APIs and SDKs to programmatically configure their products on Oracle Cloud Infrastructure as virtual or bare metal appliances.

Protect Applications Listening on Open Ports

After closing down access to certain TCP ports, the next big security task is to protect the application listening on required open ports. For this kind of application security, a web application firewall (WAF) is typically used. Oracle Cloud Infrastructure WAF can be enabled with the Oracle Cloud Infrastructure Load Balancing service and configured using APIs and SDKs as part of IaC. We’ve also introduced next-generation runtime application self-protection (RASP) products through partners such as Imperva and Run Safe Securities. Using Terraform and Ansible, we can automate the instantiation and installation of these products as part of the application security configuration during application development cycles.

We've also programmatically integrated other Oracle Security products, such as Cloud Access Security Broker and Identity Cloud Services, to continuously monitor, protect, and authenticate application code and cloud resources a part of the DevOps processes and phases.

Patch Operating Systems

The next big task is to protect and continuously patch the OSs of the underlying hosts on which the applications or containers run. Oracle Autonomous Linux, along with the upcoming OS Management Service, addresses this continuous OS patching requirement. This service will use Oracle Ksplice to maintain and manage patches without restarting the instances. Ksplice is preinstalled in all Oracle Linux instances, and it’s available for Ubuntu Linux. For CentOS and Red Hat Linux, it can be easily installed automatically through an init script. The command and output look as follows:


Ksplice tracks of all the patches every time a library is modified, and it keeps the patch level updated. For more information about Ksplice, see this blog post.

Continuous Security with Automated Test and Deployment Pipeline

All the preceding security tasks can be integrated with the DevOps CI/CD pipeline tasks for continuous automated deployment.

The Oracle Cloud Infrastructure services and partner products mentioned in this post are integral components of the continuous security process (see the “Pillars of Continuous Security” section in part 1 of this series):

  • The Oracle Cloud Infrastructure firewall and WAF services, and partners’ RASP products, can be integrated with Jenkins to provide test-driven security.
  • With external penetration and exploit testing tools, remediation actions can be coded and automated as part of the automated response process.
  • Oracle Cloud Access Security Broker provides an exhaustive list of cloud security controls and risk assessment services based on automated machine learning, and is part of the continuous security risk assessment process.

Resources and Acknowledgments

For more information, see the following resources:

I’d like to extend a sincere thanks to Johnnie Konstantas for technical review.

What's Next

The next three parts of this series will explore the following topics:

  • Part 3 focuses on securing IaC. It covers how to achieve deployment security (Terraform and Ansible) and network access and entry point security; how to test security lists and add a bastion host; and how to secure database access by using table encryption, roles, and permissions, and asserting permissions through a deployer; and about data security at rest and during migration.
  • Part 4 is all about securing transmission. It covers various cryptography technologies pertaining to PKI and SSL/TLS (TLS handshake, PFS); how to enable HTTPS and obtain certificates; and best practices for using certificates on load balancers, including testing TLS and enabling Strict Transport Security and Public Key Pinning.
  • Part 5 covers the secure delivery pipeline. It covers best practices for managing access controls and permissions for GitHub, the Oracle Cloud Infrastructure Registry, and Oracle Cloud Infrastructure public APIs. It also covers Oracle Cloud access controls—managing permissions by using instance principals and compartment policies, and best practices for distributing secrets.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.