Computing environments has evolved from Monolithic implementations to cloud based infrastructure and microservice architecture. With major players like GCP, AWS and Azure releasing their managed versions of Kubernetes and containers, it has become easier to adopt to a microservice based architecture. Along with the evolution of the computing environment, we have seen the evolution of adoption of development process from waterfall method to agile method and more recently DevOps. This evolution of the development process has reduced the application development time from months to weeks or sometime to days.
DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. This set of practices enables to shortening of the development life cycles and helps to main a continuous delivery mechanism.
The term DevSecOps emphasizes the need to build a security foundation into DevOps initiatives. An overview of various DevOps phases and the security areas needing focus as part of DevSecOps implementation in these phases are provided below:
- Plan: This phase focusses on business value and requirements. Example tools in this phase will be Jira or Gi which are used for issue tracking and managing projects. Threat Modelling and Technology Risk Assessment would be the security services to be included in this phase.
- Develop: This phase includes applications design and actual codes for the application code. Sample tools include GitHub or GitLab. Code Security, Access Control Security and Host / Network Security need to be the focus of this phase.
- Build: In this phase, builds and versions are managed with automated tools. Docker, Ansible, Puppet etc would be common tools in this phase. Security focus in this phase should be on Code Security, Access Control Security, Host and Network Security and Container Security
- Test: This phase involves continuous testing to maintain code quality. Sample tools include JUnit, Selenium etc. Code Security, Access Control Security, Host and Network Security and Container Security should be of focus for security in this phase.
- Deploy: This phase includes tools that help manage and automate product deployments into production. Tools In this phase includes Jenkins, Kubernetes, OpenShift, Docker etc. Security areas in this phase are Code Security, Access Control Security, Host and Network Security and K8 Security
- Monitor: This phase involves monitoring and collecting information about issues about applications in production. Sample tools include Datadog, Grafana, Wireshark, Splunk etc. Focus of security in this phase should be on Logging, Log Analysis and Auditing and Host and Network Security