DevSecOps evolved to address the need to continuously build security across the SDLC so that DevOps teams could deliver secure applications quickly and quickly. Incorporating testing, triage, and risk mitigation earlier in the CI/CD workflow prevents the time-intensive and often costly repercussions of making a fix postproduction. This concept is part of “shifting left,” which moves security testing toward developers, enabling them to fix security issues in their code in near real-time rather than “bolting on security” at the end of the SDLC. DevSecOps spans the entire SDLC, from planning and design to coding, building, testing, and release, with real-time continuous feedback loops and insights.
Security has always been a patchwork approach. If DevSecOps wishes to change that, what does it bring to the table?
There are 5 principles for DevSecOps:
Automate Security In
Integrate to fail quickly
No false alarms
Build security champions
Keep operational visibility.
DevOps and DevSecOps workflow
A developer creates code at intervals in a version control management system.
The changes are committed to the version control management system.
Another developer retrieves the code from the version control management system and analyzes the static code to spot security defects or bugs in the code quality.
A surrounding is then created using an infrastructure-as-code tool, like a cook. The appliance is deployed, and security configurations are applied to the system.
A take look at the automation suite is then dead against the newly deployed application, as well as a back-end, UI, integration, security tests, and API.
If the appliance passes these tests, it’s deployed to a production area.
These new production surroundings are monitored endlessly to spot any active security threats to the system.
DevSecOps Best Practices
Here are just a few best practices that will make the DevSecOps process run smoothly –
Automation is good. DevOps is all about speed of delivery, and this doesn't need to be compromised just because you are adding security to the mix. By embedding automated security controls and tests early in the development cycle, you can ensure the fast delivery of your applications.
Use DevSecOps for efficiency. You are only adding security to your workflows. Tools that can scan code as you write it can find security issues early.
Carry out threat modelling - Threat modelling exercises can help you discover the vulnerabilities of your assets and plug any gaps in security controls. Azure Sentinel can help you identify the riskiest events occurring across your infrastructure and build the necessary protection into your DevSecOps workflows.
Architecture
Flow
Azure Active Directory (AD) can be configured as GitHub's identity provider. For extra security, multi-factor authentication can be enabled.
Developers commit to GitHub Enterprise, driven by work items and bugs tracked with Azure Boards.
GitHub Enterprise can integrate automatic security and dependency scanning through GitHub Advanced Security and GitHub Open Source Security.
Pull Requests trigger CI builds and automated testing in Azure Pipelines.
The CI build in Azure Pipelines generates a Docker container image that is stored in the Azure Container Registry. At release time, Azure Kubernetes Service will use this image.
Upon uploading to the Azure Container Registry, Microsoft Defender for Cloud will scan the image for Azure-native vulnerabilities and security recommendations for the pushed image.
A release on Azure Pipelines integrates the Terraform tool, managing the cloud infrastructure as code and provisioning resources such as Azure Kubernetes Service, Application Gateway, and Azure Cosmos DB.
Azure Pipelines enable Continuous Delivery (CD) to Azure Kubernetes Service by accessing the Container Registry through a secure service connection.
Azure Policy can be applied to Azure Pipelines to enforce post-deployment gateways or directly to the AKS engine to enforce the policy.
Azure Key Vault securely injects secrets and credentials into an application at runtime, abstracting sensitive information from developers.
End users can authenticate with Azure AD B2C, are required to use MFA for extra security, and be routed through an Application Gateway that can load balance and protect core services.
Continuous monitoring with Azure Monitor extends to release pipelines to gate or rollback releases based on monitoring data. Azure Monitor also ingests security logs and can alert users of suspicious activity.
As addition and final part of a DevSecOps flow, Microsoft Defender for Cloud will be able to do active threat monitoring on the Azure Kubernetes Service, on both Node level (VM threats) and internals.
Components
Azure Active Directory provides identity and access management services for your organization, allowing control over access to the resources inside Azure, GitHub Enterprise, and Azure DevOps.
Source code is hosted on GitHub Enterprise, where developers can collaborate within your organization and the open-source communities. GitHub Enterprise offers advanced security features to identify vulnerabilities in the code you write and in open-source dependencies.
Use Azure Boards to plan work and track its progress using Agile tools such as Kanban boards.
Azure Pipelines is a service that provides Continuous Integration and Continuous Delivery jobs to build and release your application automatically.
Host your Docker container images on Azure Container Registry. This service includes container image scanning and integration with Microsoft Defender for Cloud.
Azure Kubernetes Service offers a Kubernetes cluster that is fully managed by Azure to ensure the availability and security of your infrastructure.
Terraform is a third-party product developed by HashiCorp that allows infrastructure automation on Azure, as well as on other environments.
Azure Policy lets you create, assign, and manage policies. These policies enforce different rules and effects on your resources so that they stay compliant with your corporate standards and service level agreements. It also integrates with Azure Kubernetes Service.
Azure Key Vault can store certificates, connection strings, tokens, and other secrets. This sensitive information is read by your application at run-time, so it's abstracted away from your developers.
Azure Cosmos DB is a globally distributed, multi-model database service that is fully managed and compatible with multiple APIs, including MongoDB, Cassandra, and SQL.
Azure Application Gateway is a Layer-7 load balancer that supports advanced routing rules and a web application firewall (WAF).
Using Azure Monitor, you can gain insights into the availability and performance of your application and infrastructure. It also gives you access to signals to monitor your solution's health and spot abnormal activity early.
Using Azure AD B2C you can provide identity services to consumers (end-users) of your application, even if they're not part of your organization.
コメント