CNAS DevOps & DevSecOps Framework - Ngee Ann Polytechnic

CNAS: Cloud Native Architecture And Security DEVOPS & DEVSECOPS PROCESS FRAMEWORK IN CLOUD NATIVE ARCHITECTURE Ngee Ann Polytechnic Specialist Diploma in Cloud Security Official Open Module Road Map Ngee Ann Polytechnic Official Open Learning Objectives In this chapter, you will:  Understand the overview of DevOps and DevSecOps process framework under Cloud Native Understand the DevOps and DevSecOps role and integration in Cloud Native Architecture  Learn about the advantages/benefits of DevOps and DevSecOps in an Organization  Explore 6 best practices under DevOps Ngee Ann Polytechnic Official Open Traditional SDLC Model SDLC – Software Development Lifecycle refers to structured process for building, deploying and maintaining applications that are designed to run in cloud environment using cloud technologies Key stages of SDLC - Planning, Design, Development, Testing, deployment, Monitoring and Maintenance, Feedback and Iteration In traditional SDLC: Development team works on code which is then sent to the testing team for validation against requirements. Operation team comes in toward the end of the process, where handover of release is given. DevOps aims to break these silos enabling better collaboration and performance. Ngee Ann Polytechnic Traditional SDLC Model Official Open Traditional Communication Model Between Dev Team and Ops Team Ngee Ann Polytechnic Official Open Traditional Communication Model Between Dev Team and Ops Team Put the current release What are the live, NOW! It works on dependencies? my machine. We need No machines available… this Yesterday. You are Which DB? using the wrong High Availability? version. Scalability? Ngee Ann Polytechnic Official Open Traditional Communication Model Between Dev Team and Ops Team Ngee Ann Polytechnic Official Open Traditional SDLC Challenges Ngee Ann Polytechnic Official Open Introduction to DevOps Ngee Ann Polytechnic Official Open DevOps in Cloud-Native Architecture DevOps (in context of CNA) is about automating and streamlining processes required to build, test, deploy and monitor applications by leveraging on cloud native technologies/tools. Set of practices that combines software development and IT operations. Goal - shorten systems development life cycle and provide continuous delivery with high software quality. Complementary with Agile software development; several DevOps aspects came from the Agile methodology. Ngee Ann Polytechnic Official Open DevOps: the three-stage conversation DEV OPS 1 People 2 Process 3 Products Three Pillars that make DevOps Successful – Focus on human aspects, workflow & methodology and Official Open DevOps – People – Process - Products Inter-dependence between 3 elements make DevOps effective in achieving fast, reliable and scalable software delivery. People - Right Culture and Collaboration. Developer, Ops and Security teams work collaboratively, communicate effectively and share ownership & responsibility of the entire application lifecycle Process - Well defined processes (workflow & methodology) with automation and continuous improvement ensure faster and safe application deployment. Example – automated CI/CD pipeline to automate testing, integration and deployment. Products - Technologies & tools support the processes and empower people to execute DevOps effectively. Examples – Kubernetes, Terraform, Docker. Ngee Ann Polytechnic Official Open DevOps Model Development and Operations teams work in collaboration to minimize the effort and risk involved in releasing software. Introduce collaboration by ensuring that Ops team is giving constant feedback to Development team about the code, analyzing the impact considering end users and troubleshooting any problems together to gain stability of the product. DevOps enables a cultural change to remove the barrier between development & operations, working together for common set of objectives. Though DevOps is a technical methodology, it’s also an inherently human approach. DevOps embraces agility & problem-solving. Collaboration is central. Having a DevOps mindset encourages broader communication instead of sticking strictly to one discipline. Ngee Ann Polytechnic Official Open DevOps Practices in CNA Environment Key DevOps best practices in CNA - on building, deploying, monitoring and maintaining cloud native apps : Continuous Integration Continuous Delivery/Deployment Microservices -Containerization Infrastructure as Code Monitoring and Logging Communication and Collaboration Adopting these practices help teams deliver cloud applications faster with high quality and at scale. Ngee Ann Polytechnic Official Open Continuous Integration (CI) Involves automatically building and testing microservices whenever code changes are committed to repository. Tools: Jenkins, GitLab - CI servers enable automated build and test, along with varying levels of notifications fundamental to keeping agile efforts on track. Example: When developer pushes code to the repository, a CI pipeline automatically runs tests, builds Docker image for microservice and pushes image to container registry (Docker Hub). This ensures developer can catch bugs early Ngee Ann Polytechnic Official Open Continuous Delivery/Deployment (CD) Automated deployment involves automatically deploying to staging or production environment after code passes tests. Tools: Kubernetes, Helm Example : After successful CI build, next step is to deploy app to staging or production environment for container orchestration. Ngee Ann Polytechnic Official Open Microservices - Containerization Cloud native application is made up of small loosely coupled services that can be developed, deployed and scaled independently. DevOps practices enables seamless operation of these microservices ensuring they can be continuously delivered and monitored. Containerization – Containers (like Docker) can package applications (microservices) and their dependencies for easy deployment. Each microservice is encapsulated within its container (Docker) which ensures consistency across environments. Tool – Docker Container Orchestration – Manages containers at scale (based on demand) like deployment, scaling and management. Tool - Kubernetes Ngee Ann Polytechnic Official Open Infrastructure as Code (IaC) Practice in which infrastructure is provisioned and managed using code with version control and continuous integration. Cloud’s API-driven model enables developers & system administrators to interact with infrastructure programmatically, and at scale, instead of needing to manually set up and configure resources. Automated Provisioning - Cloud-native infrastructure like compute (VMs, containers), networking (Load Balancer), dB, storage and security configurations is defined as code & version-controlled. Can be provisioned programmatically. Declarative infrastructure – cloud resources described in declarative languages which allows infrastructure to be described as a set of desired states rather than a series of commands. Ngee Ann Polytechnic Official Open Infrastructure as Code (IaC) Allow teams to replicate, scale or recover infrastructure easily and consistently. Use of code makes configuration changes repeatable and standardized. Frees developers +administrators from manually configuring operating systems, system applications, or server software. Tools – AWS CloudFormation, Terraform, Ansible , Kubernetes Ngee Ann Polytechnic Official Open Continuous Monitoring & Logging Enable teams to gain insights into application health, performance, security and infrastructure capacity. These practices are critical in ensuring microservices running reliably. Key Practices: Real-time Monitoring using metrics, logs and traces. Log Aggregation- Microservices logs are aggregated into a central logging system for troubleshooting and analysis Alerting – Notification alerts are sent when certain critical metrics’ threshold are triggered. Events like system failures, performance bottlenecks and security breaches. Tools – Prometheus , Grafana Ngee Ann Polytechnic Official Open Communication and Collaboration Collaboration & communication between development and operations is important for success of DevOps. Ensure issues are identified early and faster appropriate early responses /resolutions to changing requirements and conditions. Key Practices: Automated Continuous Feedback Loops Use of Collaboration Tools - Microsoft teams, ChatOps to help facilitate real-time communication among DevOps cross-functional teams to solve issues efficiently. GitHub/GitLab – Provides version control and collaboration features to streamline communication between members on code changes. Ngee Ann Polytechnic Official Open DevOps Implementation Example A typical DevOps adoption example is shown as below: Ngee Ann Polytechnic Official Open DevOps – Typical CI/CD Pipeline 1. Coding and Version Control: Developers write & commit code to shared central repository (GitHub). Code stored in a version control system. 2. CI Continuous Integration: When code is pushed to repository, tool like Jenkins can be triggered to run automated tests (unit & integration tests) on new code. When the tests pass, new code is merged into main branch & CI tool generates a build artifact (new docker image build). 3. CI Continuous Deployment: CD pipeline automatically deploy new app image to staging and pre- production environments. 4. Automated Testing: Once code is deployed D pipeline automatically deploy new app image to staging and pre-production environment, automated tests are run again (integration, load and user acceptance tests). Test results are automatically logged & developers are notified if something breaks. 5. Infrastructure as Code : DevOps engineers provision cloud resources, networks and services required to run apps. 6. Monitoring and Logging – After production deployment, teams monitor and track application and infrastructure performance and heath. 7. Continuous Feedback Loop: Developers and Ops teams check and review logs and metrics, address any issues and work collaboratively to improve code and infrastructure. Ngee Ann Polytechnic Official Open Advantages of Adopting DevOps 1. Improved Communication & Collaboration – Cohesive Teams Break down the silos between Dev and Ops teams – they work cohesively toward common objectives such as setting product objectives and vision statement aligned with overall organization strategic objectives. Encourages a culture of shared responsibility, ownership and transparency. With a cohesive team, the wall of conflict and "not my job" syndrome can be eliminated. 2. Faster Time to Market (Delivery) Continuous Integration and Continuous Deployment (CI/CD) allow for rapid frequent release cycles. Teams can deliver features, fixes and updates faster and more frequently due to shorter development cycles. 3. Higher Quality Software Product Automated testing ensures code quality and help detect bugs early in development cycle. Continuous feedback loops (from users and monitoring tools) lead to faster issue resolution. Ngee Ann Polytechnic Official Open Advantages of Adopting DevOps 4. Cost Efficiency Automation reduces manual repetitive tasks and human errors, saving time and resources. Faster issue detection and resolution reduce downtime and maintenance costs. 5. Scalability and Flexibility Infrastructure as Code and containerization (like Docker & Kubernetes) allows systems to be scaled up & down efficiently Enables organizations to respond to market changes or customer needs with agility 6. Enhanced Monitoring and Feedback Continuous monitoring of applications & infrastructure & feedback loops improve system reliability. Real-time metrics enables better decision-making and proactive improvements 7. Greater Customer Satisfaction User experience improved with frequent updates and fast bug fixes Better alignment between development and business goals results in features that better serve users. Ngee Ann Polytechnic Official Open What is DevSecOps DevSecOps – extension of DevOps that integrates security practices into the entire DevOps pipeline (development, testing, operations). Continuous security integration throughout SDLC Security is considered early in the development process rather than an afterthought after deployment phase. Ngee Ann Polytechnic Official Open Key Principles of DevSecOps Shift Left Security – Security is integrated early in SDLC rather than after development is complete. Collaboration - Developers, Ops Engineers and Security teams work together where security is everyone shared collective responsibility. Automation - Automating security checks (code analysis, vulnerability scanning and test for insecure configurations). Use penetrating tools like Metasploit or Burp suite to simulate attacks and identify weaknesses. Continuous Monitoring –Report and Action - Continuously monitored for security events, unusual activity during operations and pos-deployment. Use IDS tool (Snort) to monitor network attacks. Implement logging and alerting. Any vulnerability discovered should be addressed quickly through patches, updates or configuration changes. Ngee Ann Polytechnic Official Open DevSecOps WorkFlow- Security Testing Code Development – Static Application Security Testing (SAST) tools like SonarQube, Fortify run static code analysis on code to identify vulnerabilities such as SQL injection, cross-site scripting and insecure data handling (without actually executing it). Version Control (Secure Git Repositories) - Secure the version control process by using tools like Git hooks to ensure the code meets security requirements before being committed. For example, enforcing password policies, checking for API key exposure or preventing the push of sensitive data like passwords. Continuous Integration – Once code is in CI pipeline, Dynamic Application Security Testing (DAST) (Black Box Testing) is run to simulate attacks and find vulnerabilities n in running application. Tools include OWASP ZAP and Burp Suite. To ensure container security, scanning tools are used to ensure images are free from known vulnerabilities. Automated Security Testing (SCA Dependency Scanning)– Use Software Composition Analysis (SCA) tools to scan vulnerabilities in open-source third party libraries/dependencies – analyse applications to see they contain these vulnerabilities. Ngee Ann Polytechnic Official Open DevSecOps WorkFlow- Security Testing Continuous Delivery/Deployment (Secure CD Pipeline) Infrastructure as Code (IaC) Security Checks– Ensure IaC code configuration (CloudFormation, Terraform) follow security best practices and check for misconfigurations Secrets Management – Tools like AWS Secrets Manager or Azure Key Vault are integrated to ensure secrets (password, API keys, certificates) are securely managed and never hardcoded into codebase. Security in Deployment Pipeline Continuous Security Testing –Integrated into pipeline to scan for vulnerabilities , test for insecure configurations and ensure the system is secure at every stage. Automated Penetration Testing – Tools like Metasploit or Burp Suite used to simulate attacks and identify weaknesses in staging or pre-production environments. Continuous Monitoring & Incidence Response Real time monitoring for security events, unusual activity with tools (Prometheus, Splunk) Incident Detection Systems – IDS Tool like SNORT to monitor network traffic Logging and Alerting Incident Response and Remediation Ngee Ann Polytechnic Official Open Benefits of DevSecOps Improved Security - Issues are detected and rectified faster. Faster Time-to-Market - Automated security checks enable quick feedback allowing teams to fix issues in real-time and keep development moving. Reduced Risk – Continuous monitoring and testing ensure security gaps and vulnerabilities are minimized reducing chanced of successful attacks. Compliance – Helps in meeting regulatory compliance standards by ensuring security is built into the application from the start making audits easier. Ngee Ann Polytechnic Official Open Conclusion DevOps practices help companies achieve agility, scalability and resilience. By adopting DevOps practices such as CI/CD, automated testing, IaC and continuous monitoring, teams can develop and deliver cloud native applications faster with high quality and at scale. DevOps practices foster collaboration, increase automation and ensure applications evolve continuously to meet customer needs and business goals. DevSecOps integrate security into DevOps workflow , making security everyone’s responsibility from the start of the development process and throughout the entire stages.

CNAS DevOps & DevSecOps Framework - Ngee Ann Polytechnic

Document Details

Tags

Related

Summary

Full Transcript