This article covers the DevSecOps transformation framework and its phases, mapping it to DevSecOps tools on the cloud. It also highlights the benefits of and the best practices for using DevSecOps.
DevSecOps is about introducing security early in the software development life cycle (SDLC) by expanding the collaboration between the development and operations teams to include security teams. This set of concepts, cultural philosophies, practices, team organisation structures and tools increases an organisation’s ability to deliver applications and services at high velocity to its clients. It helps in responding to new requirements quickly, as well as to problems that occur in production. This enables organisations to serve their customers better and compete more effectively in the market.
DevSecOps aims to maximise the predictability, efficiency, security and maintainability of operational processes. It helps in building security into application development from end to end.
Organisations need to understand the relationship between DevSecOps and cloud computing. DevSecOps is about improvement in software development processes and culture, while cloud computing is about technology and services. Organisations need to understand the value that both can bring, when combined, to achieve their transformation objectives.
Industry adoption of DevSecOps tools
The DevSecOps market size is expected to grow almost fourfold from US$ 1.5 billion in 2018 to US$ 5.9 billion in 2023, at a CAGR of 31.2 per cent. It is forecast to reach US$ 6.5 billion by 2025, after growing at a CAGR of 28.85 per cent during 2020-2025 (see References at the end of the article).
According to a Synopsys report (https://www.synopsys.com/glossary/what-is-devsecops.html), organisations in multiple industries can implement DevSecOps to break down silos between development, security and operations so that they can release more secure software faster.
- Automotive: DevSecOps can reduce lengthy cycle times and help meet the software compliance standards.
- Healthcare: It can enable digital transformation efforts while maintaining the privacy and security of sensitive patient data as per regulations such as HIPAA.
- Financial, retail, and e-commerce: Here, DevSecOps can help to fix the Open Web Application Security Project, and also maintain data privacy and security compliance with PCI DSS payment card standards for transactions among consumers, retailers, financial services, etc.
DevSecOps solutions on cloud platforms are expected to help organisations deploy codes easily in the production process, along with enhanced IT security, high performance, and increased scalability.
Cloud and DevSecOps
Cloud and DevSecOps adoption by an organisation helps in providing agility, security, speed and quality to software processes. Companies can build applications in any programming language, as well as deploy and run them quickly and reliably on any infrastructure. Adoption of these technologies also supports automation of software release processes, faster application development, and better monitoring of applications and infrastructure performance.
Applications built on next-generation technologies include components such as omni-channel enablement, microservices adoption, API middleware, mobile apps, content management systems, etc. These applications need high availability and fault tolerance. The cloud can help to make the infrastructure or platform resources available within no time.
Cloud automation or Infrastructure as a Code should become a part of the culture of an organisation to eliminate manual activities in application installation and configuration.
DevSecOps reference framework
DevSecOps is a set or combination of tools that helps in the delivery, development and management of applications throughout a system’s life cycle. At the organisation level, the software teams need to automate the entire cycle of build, provisioning and deployment of test environments, including the tools, scripts and test data to ensure rapid delivery. These teams need to collaborate around the application architecture and monitor event-based mechanisms for seamless data flow across the tool chains.
Listed below are the different stages any software or application has to pass through as part of the DevSecOps transformation journey:
- Portfolio management and collaboration
- Source code management
- Continuous integration
- Containerisation tools
- Database management
The following sections briefly describe the different phases of the DevSecOps life cycle and the open source products that can be used for them.
Portfolio management: The current state of the application and future planning is considered at this stage. DevSecOps readiness assessment across the enterprise is done, along with requirements for DevSecOps implementation, and the approach for the development and transition into operations. The target stage is defined, and the transformation and execution plans are made. The ROI is calculated and the business strategy is made in this phase. In addition, identification of the initial DevSecOps process, the DevSecOps solution and its linkage to the cloud platform is done.
Build: DevSecOps establishes the interdependence of software development and IT operations, and helps an organisation produce software and IT services more rapidly, with frequent iterations.
Development of code may be done in any language, but is maintained by using version control tools. The most popular tools used are Git, SVN, SonarQube, Maven and Ant.
Source code management: Versions are maintained in a central repository that acts like a single source of truth. It helps developers to collaborate on the ‘latest committed’ code, and operations teams can access the same code when they plan to make a release. Whenever there is a fault during the release, Ops can quickly rollback the deployed code and revert to the previous stable state.
Git and GitLab are the leading source control systems. Git allows developers to collaborate with each other on a distributed version control system. GitLab provides the centralised and integrated platform for developers.
Testing: Continuous testing promotes organisation-wide cultural change to promote capabilities like test early, test faster and automate. Continuous testing synchronises testing and QA with Dev and Ops processes that are optimised to achieve business and development goals.
Tools like Tosca, Selenium, Veracode, SonarQube, Cucumber and JUnit are used to automate the execution of test cases.
Continuous integration: Continuous integration (CI) helps developers to integrate code into a shared repository several times a day. It allows teams to detect problems early and verifies each check-in. By integrating regularly, it can detect errors quickly and locate them more easily.
The most popular CI tool in the market is Jenkins. Other popular CI tools are Bamboo and Hudson.
Continuous deployment: In continuous deployment, every change goes through the pipeline and is automatically put into production, resulting in many production deployments every day with greater delivery speed and frequency for complex applications.
Ansible, Kamatera and Vagrant are the most useful continuous deployment tools used in the cloud environment.
Configuration/provision management: Configuration management helps in establishing and maintaining consistency in an application’s functional requirements and performance. Configuration management tools work based on the master-slave architecture.
Popular configuration management tools used in the cloud environment are Puppet, Chef, Ansible, and SaltStack.
Containerisation: Containerisation tools help in maintaining consistency across the environments where the application is developed, tested and deployed. Containerisation eliminates the failure in a production environment by packaging and replicating the same dependencies and packages that are used in the development, testing and staging environments.
Docker is the most used containerisation tool.
Repositories: An artifact repository is a collection of binary software artifacts and metadata stored in a defined directory structure. A repository stores two types of artifacts — releases and snapshots. Release repositories are for stable, static release artifacts, and snapshot repositories are frequently updated repositories that store binary software artifacts from projects that are under constant development.
GitHub is the central repository where the code is maintained. Bitbucket and Nexus are the other repository tools.
Database management: This helps in managing revisions of database schema scripts. Liquibase is a widely used open source database solution that supports various databases.
Continuous monitoring: Continuous monitoring across all phases of application development, testing and deployment is crucial for a successful DevSecOps implementation. Improving service quality by monitoring application performance and log management solves the problem of aggregating, storing, and analysing all logs in one place.
Splunk, ELK Stack, Nagios, Sensu, and NewRelic are some of the popular tools for monitoring.
Open source tools for DevSecOps adoption in the cloud
Open source DevSecOps tools for the cloud are designed and developed using open source technologies to fulfil the DevSecOps toolchain capabilities. These are:
- Portfolio management tools, which provide transparency to stakeholders and participants
- Collaboration tools to help teams work together, anywhere and anytime
- Source control tools, which are the single source of truth
- Issue tracking tools to increase responsiveness and visibility
- Configuration management tools that enforce the desired state
- Continuous integration tools
- Binary repositories that manage builds, releases and dependencies
- Monitoring tools, which ensure service uptime and optimal performance
- Automated test tools for higher quality
- Deployment tools to improve time to market
Security tools to provide security in the DevOps life cycle, covering interactive application security and testing, runtime application and self-protection, and cloud security
The following are some of the key open source DevSecOps tools that can be used in the cloud.
Ansible: Red Hat owns Ansible. This tool automates various common tasks related to IT operations such as application deployment, configuration management and cloud provisioning. It integrates with numerous DevOps tools including Jenkins, JIRA, Git, and many others. The free open source version of Ansible is available on GitHub.
Chef: Chef is an open source automation platform that transforms infrastructure into code. It operates in the cloud, on-premises, or in a hybrid environment. The Chef development kit provides the tools to develop and test infrastructure automation code from a local workstation prior to deploying changes into production.
Docker: Docker is software used for OS level virtualisation. It is used to create, deploy and run application packages called containers. Containers allow the developer to package an application with all the parts it needs, such as libraries and other dependencies, and ship it as one package. Docker is lightweight, open and secure.
Docker has two parts. Docker Engine is a tool responsible for creating and running Docker containers. Docker Hub is a service application based on the cloud, which covers the concept of application sharing and workflow automation.
GitHub: This is a collaborative code review tool supporting around 200 software languages. It also supports all the version control features of check-in, commits, branches, merging, labels, task management, wikis, push and pull to/from GitHub, etc. Git fits in very well as a popular and distributed version control system for teams located at different geographical locations.
Many DevSecOps teams use it for managing the source code of their applications. It consists of plugins that can link with Jenkins to facilitate deployment and integration.
Hudson: This continuous integration tool is developed in Java and runs on a VMware host or cloud. It is used for managing, monitoring, continuous testing and integration. It supports various systems for management of source code, application servers, code analysis tools, testing frameworks, and build tools. It has real-time notifications of test failures, change set support, and an easy installation and configuration process.
Jenkins: Jenkins is a cloud based continuous integration tool that helps to automate the activities of build, code analysis and storing of artefacts. These activities are triggered once a developer or the team commits the code to the version control repository.
Jenkins has many plugins and works as a CI tool for various different technologies like C/C++, Java/J2EE, .NET, Angular JS, etc. It also provides plugins to integrate with SonarQube for code review, JFrog Artifactory for storing binary artifacts, testing tools like Selenium, etc, as a part of the automation process.
Jenkins helps to automate deployments to app servers like Tomcat, JBoss, Weblogic through plugins, and also to container platforms like Docker.
Kubernetes: Open source Kubernetes is free and downloaded from its repository on GitHub. Administrators must build and deploy the Kubernetes release to a local system or cluster, or to a system or cluster in a public cloud such as AWS, Google Cloud Platform (GCP) or Microsoft Azure.
Puppet: This is a cloud DevSecOps tool for operating and delivering software. Puppet automates deployment to provide reliability and agility. It provides continuous automation and delivery faster across the complete software delivery life cycle. Also, the tool increases productivity and operational efficiency, infrastructure as code, configuration management, automated testing and continuous delivery.
Veracode: This powerful cloud based service suite for software testing can help to implement end-to-end security. It provides application security services and solutions to reduce risk in Web, mobile and third party applications. The various security services provided by Veracode for DevSecOps are:
- Static analysis security testing
- Software composition analysis
- Vendor analysis security testing
- Web application scanning
Selenium: This is an automated functional testing tool to test Web applications. Installed as a Firefox browser plugin, it helps to record and playback test scenarios. In a DevSecOps scenario, once the application is deployed in a test environment, Selenium automated testing is invoked.
Supergiant: This open source platform for container management can be utilised for Kubernetes deployment on multiple clouds in a matter of minutes. The Supergiant API is used for streamlining production deployment.
Apache Mesos: Apache Mesos abstracts CPU, memory, storage and other computer resources away from machines, whether they are physical or virtual, and enables fault-tolerant and elastic distributed systems to be easily built and run effectively. The Mesos kernel runs on every machine and provides applications like Hadoop, Spark, Kafka and Elasticsearch, with APIs for resource management and scheduling across the entire data centre and cloud environments.
Synk: This open source security management tool is used to automatically find, prioritise and fix vulnerabilities in the open source code and its dependencies. It helps in developing cloud native applications.
Benefits of DevSecOps
Some of the key benefits of adopting DevSecOps processes are:
- It eliminates silos, and promotes collaboration and team work.
- It identifies the vulnerabilities, and reduces the cost and time to deliver software.
- A DevSecOps tools setup reduces the time of deployment by 80-90 per cent. As an example, it reduces deployment time from 12 hours to 2 hours.
- It increases software quality with automated testing. It also reduces the cost and time needed to test, and deployment related downtime.
- It provides improved and stable operations, diminishes security threats, reduces rework, and increases the reliability of service delivery.
- It improves development productivity and overall software quality by 20 per cent with automated and early detection of defects in the cycle.
- Improves business value and provides increased customer value by being responsive to change.
To sum up, the combination of cloud computing and DevSecOps provides automated and fast application development and monitoring. This increases an organisation’s ability to deliver applications and services at high velocity.