DevOps & DevSecOps in Cloud Native Architecture

Questions and Answers

Which of the following best describes the primary goal of DevOps in the context of Cloud-Native Architecture (CNA)?

• To eliminate the need for cloud-native technologies and tools.
• To automate and streamline processes for building, testing, deploying, and monitoring applications. (correct)
• To manually manage application deployments in the cloud.
• To reduce the need for software development and IT operations.

In a traditional Software Development Lifecycle (SDLC), what often poses a challenge to collaboration and efficiency?

• Silos between different teams, particularly between development and operations. (correct)
• Close collaboration between development and operations teams from the project's inception.
• The integration of automated testing throughout the development process.
• Frequent communication with end-users to gather feedback.

What key element does DevOps aim to introduce to the software development and release process, contrasting with traditional SDLC models?

• Focusing primarily on code development while minimizing operational considerations.
• Limiting communication between teams to reduce unnecessary interruptions.
• Breaking down silos to enable better collaboration and improved performance. (correct)
• Strictly separating development and operations roles to ensure clear responsibilities.

Which of the following is NOT a typical characteristic or goal of DevOps?

Maintaining strict separation between development and operations teams. (A)

What are the "Three Pillars" that make DevOps successful?

People, Process, and Products. (B)

What is the role of 'constant feedback' from the Operations (Ops) team to the Development team in a DevOps model?

To ensure the Development team considers end-users and troubleshoots issues to gain stability of the product. (C)

Which of the following is a key area DevOps aims to improve by enabling a cultural shift?

The barrier between development and operations teams. (A)

Which of the following is NOT a key DevOps practice in a Cloud-Native Architecture (CNA) environment?

Manual Infrastructure Provisioning. (D)

What does Continuous Integration (CI) primarily involve in the context of DevOps?

Automatically building and testing microservices whenever code changes are committed. (D)

After a successful Continuous Integration (CI) build, what is the typical next step in Continuous Delivery/Deployment (CD)?

Deploying the application to a staging or production environment. (B)

What is the primary purpose of container orchestration tools like Kubernetes in a microservices architecture?

To manage containers at scale, including deployment, scaling, and management. (A)

Which of the following is a key characteristic of 'Infrastructure as Code' (IaC)?

Provisioning and managing infrastructure using code and version control. (B)

What benefit does using code to manage infrastructure provide?

It allows teams to replicate, scale, or recover infrastructure easily and consistently. (A)

What is the role of log aggregation in DevOps?

To aggregate microservice logs into a central system for troubleshooting and analysis. (B)

Why is communication and collaboration emphasized in DevOps practices?

To ensure issues are identified early and appropriate responses are implemented quickly. (B)

In a typical CI/CD pipeline, what happens after automated tests are run on new code?

The code is merged into the main branch, and a build artifact is generated. (C)

Which of the following is the MOST significant advantage of adopting DevOps practices?

Faster time to market through rapid and frequent release cycles. (C)

How does DevOps contribute to improved software quality?

Through automated testing and continuous feedback loops, which lead to faster issue resolution. (B)

Which of the following refers to the concept of integrating security practices into every phase of the DevOps lifecycle?

DevSecOps (B)

In which stage does DevSecOps consider security?

Early in the development process, rather than as an afterthought. (B)

What does the 'Shift Left Security' principle refer to in the context of DevSecOps?

Integrating security early in the SDLC rather than after development is complete. (C)

Which of the following practices is essential for implementing the 'Automation' principle in DevSecOps?

Automating security checks such as code analysis and vulnerability scanning. (B)

In DevSecOps, what is the purpose of implementing 'Continuous Monitoring'?

To continuously monitor for security events and unusual activity during operations and post-deployment. (B)

Which type of tools can assist in Static Application Security Testing (SAST)?

SonarQube (B)

What is the objective of Dynamic Application Security Testing (DAST) in a DevSecOps workflow?

To find vulnerabilities in a running application by simulating attacks. (D)

Why is it important to implement Infrastructure as Code (IaC) Security Checks in DevSecOps?

To ensure IaC code follows security best practices and to check for misconfigurations. (A)

What is the purpose of 'Secrets Management' in a secure CD pipeline?

To ensure secrets like passwords and API keys are securely managed and not hardcoded into codebase. (A)

Which of the following is a tool to monitor network traffic?

SNORT (B)

Which of the following is a benefit of DevSecOps?

All of the above (D)

What is the MOST significant benefit of integrating security into the DevOps workflow?

Improved compliance and reduced risks. (B)

Which of the following is NOT a part of the key benefits of DevOps practices?

Reduced scalability. (C)

What are the listed benefits a company achieves through DevOps practices?

Agility, scalability, resilience (C)

In the conclusion, what is integrated into DevOps workflow with DevSecOps?

Security (B)

Flashcards

SDLC

A structured process for building, deploying, and maintaining applications in the cloud.

DevOps Goal

Aims to break down silos, improving collaboration and performance.

DevOps in Cloud-Native Architecture

Automating and streamlining processes for building, testing, deploying, and monitoring applications.

Three Pillars of DevOps Success

People, Process, and Products

DevOps

Development and operations teams work together to minimize the effort and risk involved in releasing software.

Key DevOps practices in CNA

Building, deploying, monitoring, and maintaining cloud-native apps.

Continuous Integration (CI)

Automates building and testing microservices when code changes are committed.

Continuous Delivery/Deployment (CD)

Automatically deploying to staging or production after code passes tests.

Microservices

Cloud-native apps are made of small, loosely coupled services.

Containerization

Packaging applications (microservices) and their dependencies for easy deployment.

Container Orchestration

Manages containers at scale like deployment, scaling and management.

Infrastructure as Code (IaC)

Infrastructure provisioned and managed using code.

Continuous Monitoring and Logging

Teams gain insights into application health, performance, and security.

Communication and Collaboration for DevOps

Collaboration and communication between development and operations identifies issues early for fast responses.

Typical CI/CD Pipeline

CI/CD pipeline where code is written, committed, tested, and deployed.

Improved Communication & Collaboration

Breaking the silos between Dev and Ops

Cost Efficiency in DevOps

Issues are detected and resolved faster.

Scalability and Flexibility

Systems scaled up and down efficiently.

DevSecOps

Extension of DevOps that integrates security practices into the entire DevOps pipeline

Shift Left Security

Security is integrated early in SDLC.

Benefits of DevSecOps

Early SDLC integration enhances software application security

Static Application Security Testing (SAST)

Static analysis to find vulnerabilities in code.

Software Composition Analysis (SCA)

Code is scanned for vulnerabilities in open-source libraries.

Continuous Security Testing

Vulnerabilities are continuously scanned tested and ensure a more secure process.

Infrastructure as Code (IaC) Security Checks

Ensure IaC code configuration follows security guidelines checks for misconfigurations

Study Notes

• DevOps & DevSecOps process framework in cloud native architecture
• This chapter covers the overview of DevOps and DevSecOps process framework under Cloud Native.

Objectives

• Understand the roles and integration of DevOps and DevSecOps in Cloud Native Architecture
• The advantages and benefits of DevOps and DevSecOps in an organization
• Explore 6 best practices under DevOps

Traditional SDLC Model

• SDLC (Software Development Lifecycle) refers to a structured process for building, deploying, and maintaining applications designed to run in cloud environments using cloud technologies.
• Key stages of SDLC: Planning, Design, Development, Testing, Deployment, Monitoring and Maintenance, Feedback and Iteration
• Development teams work on code, which is then sent to the testing team for validation against requirements in traditional SDLC.
• The operations team gets involved near the end of the process for release handover in traditional SDLC.
• DevOps aims to break the silos, enabling better collaboration and performance.

Traditional Communication Model Challenges

• Aims to address high probability of errors, management bottlenecks, lack of transparency and high costs
• Also addresses late feedback, late fixes and updates and difficult and costly changes

Introduction to DevOps

• DevOps is about automating and streamlining processes required to build, test, deploy, and monitor applications by leveraging cloud native technologies and tools.
• Goal is to shorten systems development life cycle and provide continuous delivery with high software quality.
• DevOps is complementary with Agile software development, and several aspects came from Agile methodology.

DevOps: the three-stage conversation

• Inter-dependence between 3 elements make DevOps effective in achieving fast, reliable and scalable software delivery.
• Three Pillars: People, Process, and Products
• People: Right Culture and Collaboration involving development, operations and security. Developer, Ops and Security teams work collaboratively, communicate effectively and share ownership & responsibility of the entire application lifecycle.
• Process Well defined processes (workflow & methodology) with automation and continuous improvement ensure faster and safe application deployment, such as automated CI/CD pipelines
• Products Technology & tools support the processes and empower people to execute DevOps effectively, such as Kubernetes, Terraform, Docker.
• Development and operations teams work in collaboration to minimize the effort and risk involved in releasing software.
• Introduce collaboration by ensuring that the Ops team is giving constant feedback to the development team about the code, analyzing the impact considering end users and troubleshooting any problems together to gain stability of the product.
• DevOps enables a cultural change to remove the barrier between development & operations, working together for common set of objectives.

DevOps Model

• DevOps embraces agility & problem-solving.
• Collaboration is central.
• A DevOps mindset encourages broader communication instead of sticking strictly to one discipline.

DevOps Practices in CNA Environment

• Key DevOps best practices in CNA - on building, deploying, monitoring and maintaining cloud native apps:
• Continuous Integration
• Continuous Delivery/Deployment
• Microservices -Containerization
• Infrastructure as Code
• Monitoring and Logging
• Communication and Collaboration
• Adopting these practices helps teams deliver cloud applications faster with high quality and at scale.

Continuous Integration (CI)

• Involves automatically building and testing microservices whenever code changes are committed to the repository.
• Jenkins, GitLab are example of CI servers
• CI is for automated build and test along with varying levels of notifications fundamental to keep agile efforts on track.
• Automated tests are ran, a docker image is built for microservice and pushes image to container registry (Docker Hub) when developer pushes code to the repository using a CI pipeline.

Continuous Delivery/Deployment (CD)

• Automated deployment involves automatically deploying to staging or production environment after code passes tests.
• Kubernetes and Helm are tools for CD
• After a successful CI build, the next step is to deploy the app to staging or production for container orchestration.

Microservices - Containerization

• Cloud native application is made up of small loosely coupled services that can be developed, deployed and scaled independently.
• DevOps practices enables seamless operation of these microservices ensuring they can be continuously delivered and monitored.
• Containerization involves packaging applications (microservices) and their dependencies for easy deployment
• Each microservice is encapsulated within its container (Docker) which ensures consistency across environments
• Tools are Docker and Kubernetes.
• Container Orchestration manages containers at scale (based on demand) such as Kubernetes

Infrastructure as Code (laC)

• Practice in which infrastructure is provisioned and managed using code with version control and continuous integration.
• Cloud's API-driven model enables developers & system administrators to interact with infrastructure programmatically, and at scale, instead of needing to manually set up and configure resources.
• Automated Provisioning involves cloud-native infrastructure like compute (VMs, containers), networking (Load Balancer), dB, storage and security configurations being defined as code & version-controlled
• Can be provisioned programmatically
• Declarative infrastructure involves cloud resources described in declarative languages
• Allows infrastructure to be described as a set of desired states rather than a series of commands.

Infrastructure as Code Benefits

• Allows teams to replicate, scale or recover infrastructure easily and consistently.
• Use of code makes configuration changes repeatable and standardized.
• Frees developers + administrators from manually configuring operating systems, system applications, or server software.
• Example tools: AWS CloudFormation, Terraform, Ansible, Kubernetes

Continuous Monitoring & Logging

• Allows for enabling teams to gain insights into application health, performance, security and infrastructure capacity
• Critical in ensuring microservices are running reliably.
• Key Practices: Real-time Monitoring using metrics, logs and traces, Log Aggregation where Microservices logs are aggregated into a central logging system for troubleshooting and analysis, and Alerting where Notification alerts are sent when certain critical metrics' threshold are triggered.
• Common tools are Prometheus and Grafana

Communication and Collaboration

• Collaboration & communication between development and operations is important for success of DevOps.
• DevOps ensures issues are identified early and faster to allow for appropriate, early responses or resolutions to changing requirements and conditions.
• Automated Continuous Feedback Loops
• Use of Collaboration Tools: Microsoft teams, ChatOps to help facilitate real-time communication among DevOps cross-functional teams to solve issues efficiently.
• GitHub/GitLab provides version control and collaboration features to streamline communication between members on code changes.

DevOps Implementation Example

• A typical DevOps adoption example is shown
• Jenkins is used to show the build pipeline

DevOps – Typical CI/CD Pipeline

• Steps include Coding and Version Control, CI Continuous Integration, CI Continuous Deployment, Automated Testing, Infrastructure as Code, Monitoring and Logging and Continuous Feedback Loop
• Coding and Version Control Developers write & commit code to shared central repository (GitHub). Code stored in a version control system.
• CI Continuous Integration: When code is pushed to repository, tool like Jenkins can be triggered to run automated tests (unit & integration tests) on new code. Build artefact is created when tests pass.
• CI Continuous Deployment: CD pipeline automatically deploy new app image to staging and pre-production environments.
• Automated Testing: The D pipeline deploys the new app to staging/ pre-production environment, automated tests are rerun. Test results are logged and developers are notified if something breaks. Infrastructure as Code: DevOps engineers provision cloud resources, networks and services required to run apps.
• Monitoring and Logging: After production deployment, teams monitor and track application and infrastructure performance and heath.
• Continuous Feedback Loop: Developers and Ops teams check and review logs and metrics, address any issues and work collaboratively to improve code and infrastructure.

Advantages of Adopting DevOps

• Improved Communication & Collaboration: Breaks down the silos between Dev and Ops teams creating more cohesive teams working towards common objectives.
• Faster Time to Market (Delivery): Continuous Integration and Continuous Deployment (CI/CD) allow for rapid frequent release cycles to be delivered.
• Higher Quality Software Product: Automated testing ensures code quality and help detect bugs early in development cycle.
• Achieves Cost Efficiency by automating manual repetitive tasks and human errors, and reducing downtime and maintenance costs.
• Scalability and Flexibility is realised through Infrastructure as Code and containerization using frameworks like Docker and Kubernetes
• Results in allowing systems to be scaled up & down efficiently
• Organisation are able to respond to market changes or customer needs with agility

Additional benefits of DevOps

• Enhanced Monitoring and Feedback
  • Continuous monitoring of applications & infrastructure & feedback loops improve system reliability
  • Real-time metrics enables better decision-making and proactive improvements
• Greater Customer Satisfaction
  • Frequent updates and fast bug fixes improve user experience
  • Better alignment helps to service better serve users

What is DevSecOps?

• DevSecOps is an extension of DevOps that integrates security practices into the entire DevOps pipeline (development, testing, operations).
• Continuous security integration throughout the SDLC should also be included.
• Security is considered early in the development process rather than an afterthought after deployment phase.

Key Principles of DevSecOps

• Shift Left Security enables Security to be integrated early in SDLC rather than after development is complete.
• Collaboration requires Developers, Ops Engineers, and Security teams to work together where security is everyone's shared collective responsibility.
• Automation involves automating security checks (code analysis, vulnerability scanning and test for insecure configurations). Use penetrating tools like Metasploit or Burp suite to simulate attacks and identify weaknesses.
• Continuous Monitoring -Report and Action is used to Continuously monitor for security events, unusual activity during operations and pos-deployment.
• It also involves the used of an IDS tool like Snort to monitor network attacks along with the implementation of logging and alerting.
• Any vulnerability discovered should be addressed quickly through patches, updates or configuration changes.

DevSecOps WorkFlow- Security Testing

• Code Development (Static Application Security Testing (SAST)) with tools like SonarQube and Fortify run to identify vulnerabilities, such as SQL injection, cross-site scripting and insecure data handling.
• Version Control (Secure Git Repositories) for Secure the version control process is necessary to ensure code meets security requirements before being committed with enforce tools.
• Continuous Integration (Dynamic Application Security Testing (DAST) is run to simulate attacks to find vulnerabilities with tools like OWASP ZAP and Burp Suite.
• Automated Security Testing enables ensure ensure images are free from known vulnerabilities using scanning tools.
• SCA (Software Composition Analysis) tools are used to scan vulnerabilities in open-source third party libraries/dependencies

Additional DevSecOps Security Flows

• Continuous Delivery/Deployment (Secure CD Pipeline) to follow security best practices and check for misconfigurations along with Secrets Management.
• Security in Deployment Pipeline enables scan for vulnerabilities, test for insecure configurations and ensure the system is secure at every stage.
• Automated Penetration Testing involves the use of tools like Metasploit or Burp Suite used to simulate attacks in staging or pre-production environments.
• Continuous Monitoring & Incidence Response is used for real time monitoring of security events, unusual activity with tools includes log monitoring and alerting for incident response and remediation

Benefits of DevSecOps

• Improved Security - Issues are detected and rectified faster.
• Faster Time-to-Market - Automated security checks enable quick feedback allowing teams to fix issues in real-time and keep development moving. Also allows to fixes issues in real-time and keep development moving.
• Helps to reduce risks with continuous monitoring and testing, ensuring security gaps and vulnerabilities are minimised.
• Enables regulatory Compliance to be adhered to easier with security already built in so audit's easier

Conclusion

• DevOps practices help companies achieve agility, scalability and resilience
• The adoption of DevOps practices such as CI/CD, automated testing, IaC and continuous monitoring allows teams to develop and deliver cloud native applications faster with high quality and at scale.
• To foster collaboration, increase automation and ensure, DevOps practices help applications evolve continuously to meet customer needs and business goals.
• By integrating security into DevOps workflow, DevSecOps makes ensuring its everyone's responsibility from the start of the development process and throughout the entire stages.