DevSecOps ROI

The best ROI is not to body-shop engineers but provide a holistic approach to transformation and improvement which drives business-value for clients.

Use Cases: Dev(Sec)Ops is a good use case for digitally based system development, including refactoring. The main use case for DevOps is for longer-lived products which are monetized, which undergo version and requirements changes based on various factors (market demands). This entails a longer lived and ‘Agile’ team involved in developing and supporting this on-going model. In these use cases the IP, golden images and related application data must be stored, backed-up and protected. For longer lived digital-monetised products, the Business should be embedded inside the Agile team.

AWS cloud platforms (EC2, S3, EMR, Redshift, supporting networking, security, management and monitoring services)

AWS DevSecOps assumes very good knowledge around Service-Compute Fabric (EC2, EBS), VPC networking and related configuration including security, and S3 used as an object store for block, file, image and golden images data.  AWS native monitoring services are always used (Cloud Watch, Trail) along with VPC flow logs. Nagios, Splunk, Dynatrace and other monitoring-reporting tools or frameworks (usually the client will have their own preferred list eg DataDog); must be extensively understood and used.  There is usually an integration with ITSM for VM, Container ordering and configuration; along with SaaS products (eg. Testing).  Migration patterns of on-premise data stores to Redshift have been developed including the use of requisite migration tooling.

Use Cases:

Migrations and specific environmental deployments (dev-test-prod) use patterns to support application re-platforming or new builds.  Monitoring incudes Nagios, Dynatrace, DataDog, Splunk, Cloud Trail, Cloud Watch and oftentimes creating a ‘single pane’ of glass for monitoring, reporting within an ITSM for clients.  SIEM, SIAM integration is also performed with the AWS infrastructure monitoring, reporting logs.

SVN, Code Commit, Github, Git (BitBucket) and Jenkins

Jenkins is the de-facto standard CI server for many projects on AWS.  Successful projects will design Jenkins High Availability for each environment.  Within dev-test-prod we will need to consider Jenkins CI availability, and this should mean an HA architecture.   Code repo integration and branch-trunk strategies (including unit and code testing) is standard project work.  The ppt deck gives some patterns on Jenkins-Code repo integration.  Along with this the entire AMI process of standards, creation, discovery and verification to prevent configuration drift is also important. Patterns around CI-CD including the deployment of Containers and VMs should be used.

Use Cases:

CI-CD use cases will include the deployment of VMs, or Containers (Docker, K8s, Openshift).  CI-CD has two general paths, using CI and CM (configuration management).  The first use case can be ‘immutable’ infrastructure, and the second node-configuration management.  It depends in part on the tool choice of the client which model is followed and the requirements around server provisioning (snowflakes vs permanent and known). CI-CD is based on IaC.  For many clients Jenkins and Chef (or similar) used within IaC deployments, to prevent configuration drift.  IaC can include CFT, SAM templates to automatically provision the underlying VPC, Network-Compute layer.  Application layer is usually stateless, SOA and there is a full automation of the pipeline from code repo updating to deploying the images and infrastructure via JSON scripts or Cloud Formation Templates.  In any event it is important to ensure that the DevSecOps pipeline has both CI and CM servers.

Infrastructure as code

IaC or immutable infra-deployments, includes the automated pipeline of application deployment and associated infrastructure setup including networking and compute.  The use of templates makes IaC a necessity for many firms, who want to improve security, common-deployment models and reduce configuration drift.  IaC on AWS includes immutable and node-managed infrastructure.  Key aspects include provisioning the network, isolated instances, created and managed images, persistent storage, logging (syslog, ELK), metrics, S3 integration.

Use Cases:

IaC is used as part of the CI-CD pipeline, based on JSON or YAML templates (Cloud Formation Templates) which are used to deploy pre-approved configuration and environment.  These templates are stored in S3.  CFT will provision the infrastructure based on templates, based on environments (dev-test-prod) linked to code changes.  These Template or text files are used by DevOps tools to automatically provision and configure build servers, testing, staging and production environments.  You must use design patterns for IaC.

Fix vulnerabilities

Vulnerabilities usually refer to Security issues.  There are a number of different methods to reduce vulnerabilities including secure processes and integrated testing.  First, network segmentation and firewalling, eg. Jenkins behind a firewall, on a private sub-net.  Standardise on an OS (reduces security risks).  Within CI-CD clients have used pre-defined catalogue patterns to minimise security drift. Within the process CodePipeline has been used to test deployment configurations and reduce risk.  Automated testing of code and integration is implemented.

Within environments secure deployments would include anti-malware (eg. TrendMicro), IDS, OSCAP (suricata or similar), Application and Infra monitoring (Nagios, Dynatrace), Firewalls, Security Groups, Network segmentation, the use of AWS Trusted Advisor, and other best practices.  Fixing vulnerabilities involves ‘operations’ which includes people, tools and processes – all of which must be set up.  Trouble Ticketing, Incident and Problem resolution platforms (ITSM for eg) or at least procedures are built. 

Use Cases:

DevSecOps is a mandatory mixture of many areas including security and testing.  Use cases include having a CISO or Security SMEs on projects who enforce security principles, security patterns and security configurations per project, per environment.  Use cases include embedding detailed security signoffs for every deployment integrating with AWS native security and monitoring services (Cloud Trail, VPC Flows, Cloud Watch) and 3rd party products or frameworks including testing (Trend, Nagios, Splunk, HP etc).  Usually there is an integration with the SIEM (or SIAM) for many use cases in which You will need to perform scripting work for log aggregation and monitoring (eg. single pane of glass).

Lambda, API Gateway

Clients are using Lambda which is a managed AWS service, based on ‘Serverless’ code deployments, within event driven systems, which can be integrated with other AWS services including S3 and DynamoDB.  API Gateway provides a ‘middleware’ layer which decouples consumers from providers of information through a standard interface.  API Gateway is a fully managed service to create, publish and maintain, secure APIs (REST, WebSocket) which present application access to data, business logic, or functionality from a backend service (EC2 workloads, Lambda code, Web apps).

Use Cases:

Use cases for Lambda are varied usually involving, events, scheduling, concurrency.  A common use case is to use Lambda within mobile application platforms for secure sign in and serverless functionality (mobile app – Cognito – Lambda function).  It is also be used in a DevOps process where a commit to a code repo triggers a Lambda function which uploads the code to a S3 bucket for storage.  Lambda projects include analytics on data stored in DynamoDB tables, where CRUD actions are performed, and Lambda is used to aggregate raw data and metrics based on item key and event name. Some clients have endpoints in API gateway and given a web client request route the request to Lambda to invoke a function (eg connected cars).  Mainframe apps which are migrated to AWS will use serverless including Lambda to satisfy concurrency requirements.

Some clients are using AWS API gateway (in lieu of say Mulesoft), because it is ‘native’ to the AWS stack and can handle the tasks and scalability to accept and process large volumes of concurrent calls (traffic management and related access control and monitoring).  API design is critical as is dependency mapping.