Axis DevSecOps Training Batch-5
Axis DevSecOps Training Batch-5
Overview
Familiarity with the DevSecOps process
August, 2021
Topics
Agenda 1 | What’s unique about DevOps?
2013- 2016
2007 2008 2009 2010 2011 2012
15 onwards
June 23
While the areas defines the success criteria for DevOps, these
also becomes the risks and challenges as well
6
How can DevOps
practices make
Axis High
Performing
Faster & Frequent Build & Consistent, faster and Reliable and Consistent
Deployment to promote reliable release contributes environments improving
experimentation & shorter time to market & system reliability
innovation change lead time
8
System Administrators
• 96x faster recovery from failures Operations
• 3x lower failure change rate • 22% less time spent on unplanned work and rework
• Less complexity to manage • Better code from developers because of increased
communication
Product Managers
• 46x more frequent software deployments
End Users
• Experience more consistent processes and
• 440x faster lead time to changes
applications
• Improved experience
9
Overall Impact: Increased Time to Market and change lead time, Increased code complexity,
Compromised code quality, inflexibility in responding to quick changes and modernization
10
11
Agile and DevOps complement each other while the former sets up the delivery
process and the later further refines and provides a way for implementation
Pre-game
1. Requirements
5b.
Development Business
5a. Daily Functionality
scrum
Scrum
Product
Testing
increment
2. Requirement 3. Backlog 5c. Refine life cycle
Validation construction product backlog
4. Sprint 5. Sprint
Check in code
planning to SCM
Invoke Continuous
Agile Integration/Deployment
Development pipeline
Product
Modern User Story backlog Check Code
Build
7. Sprint 6. Sprint Quality
retrospective review Deployment
Business Functionality Specification
Read Post
deployment Deploy to
Deployment Specification Deployment
specification UAT/Staging
Sanity
Testing Requirement Testing
9. Gather metrics
10. Post Automated
Infrastructure Requirement Product
usage, errors, 8. Deployment
Deploy to
testing in
feedback, performance Live production
feedback Prod Sanity UAT/Staging Testing
NFR (Continuous Monitoring)
Requirement
(Scalability/Availability/Performance)
DevOps Means…
A. Developer taking over all operations tasks
B. Automating the process of software delivery and infrastructure changes
C. The collaboration and communication of both software developers and all other
information-technology (IT) professionals
D. The collaboration and communication of just software developers and operations
staff
Correct Answer: C
Correct Answer: A
14
Quiz
Time
What benefit DevOps can bring within an organization?
A. Improved deployment frequency, which can lead to faster time to market
B. Lower failure rate of new releases
C. Shortened lead time between fixes
D. Faster mean time to recovery in the event of a new release crashing or otherwise
disabling the current system
E. All of the above
Correct Answer: E
Agile and DevOps are similar but differ in a few important aspect.
Which statement is correct?
Traditional IT Operations
• Before the advent of DevOps, companies had separate “walled-off” teams of developers, testers, and
operations, All too often they had conflicting goals.
• Developers would spend 3-4 months building a ton of features and then try to merge their code. This process
was slow and tended to produce lots of errors.
• After a long integration, Developer would handover their code to QA.
• When testers discovered a ton of bugs, developers would often respond with the classic: IT WORKS on my
machine
• Once finger pointing is over and bugs are worked out, developers would pass the torch to Operations.
• Ops would then try to deploy the code to production. If deployment failed, they would blame Developers for
providing faulty artifacts.
• As working software was none of Developers’ business, Ops would have to swallow their pride, stock up on
coffee, and fix the mess.
17
DevOps Strategy
• DevOps emerged as a response to these issues.
• It’s a culture that aims to bridge different teams and eliminate communication bottlenecks. DevOps relies on
standardization of environments and extensive automation throughout the development pipeline.
• DevOps helps organizations to: Deploy more often (and with a higher success rate);
• Fix defects earlier and faster
• Improve product quality
• Reduce time-to-market
• Better adapt to market needs
• Boost user satisfaction
• Increase productivity
• Improve teamwork
18
DevOps Strategy
In order to embrace DevOps strategy, Organization has to abandon some of its old methods and gradually adopt
new practices.
Separation of environments
into development/test/staging/prod is the first requirement for DevOps transformation. Setting up
environments manually takes a lot of time and requires attention from the ops team.
Agile development
is another prerequisite. Focusing on rapid delivery and small cross-functional teams requires more
environments. The only way to stay agile is to increase automation and move past the ‘silo’ culture.
Microservices architecture
is an approach to building software that consists of a large number of independent services. Each
service represents a single feature and communicates with other services via APIs. However, the
increased number of releases requires more automation.
19
20
Check in
Depending on the size of the codebase,
code, Download Build Test Success/ the activity takes as low as couple of
frequently codebase Codebase Codebase Failure minutes to few tens of minutes which
is a significant time saving resulting in
Source Code faster feedback of the changes
Starts writing code
Repository (GitHub,
Bitbucket, svn etc.)
Break the pipeline on stage failure/threshold deviation to ensure only compliant code is integrated with the larger codebase thus less code break and improved code stability
“Continuous Integration doesn’t get rid of bugs, but it does make them dramatically easier to find and remove.”
21
Stages
of Continuous Integration
22
Tools
for Continuous Integration
There are several tools available in the market to help with Continuous Integration. But it is important for one to carefully select the right tool
that matches the needs of development and infrastructure.
23
Quiz Time
Quiz
Time
A. Reduce risks
B. Reduce repetitive manual processes
C. Generate deployable software at any time and at
any place
D. Increases repetitive manual processes
Correct Answer: D
25
Quiz
Time
Correct Answer: D
Correct Answer: C
26
Continuous Delivery is the software engineering practice where you build a refined version of the software
by continuously implementing the fixes and feedback until finally, you decide to push it out to production
Continuous Integration
Continuous Deployment is the software engineering practice where every change goes through an
automated pipeline and a working version of the application is automatically pushed to production
Continuous Integration
Continuous Deployment
Principle: “Reduce cost, time, and risk of delivering incremental changes to the business” 27
Tools
for Continuous Deployment
There are several tools available in the market to help with Continuous Deployment. But it is important for one to carefully select the right tool
that matches the needs of development and infrastructure.
28
Quiz Time
Quiz
Time
Correct Answer: C
30
Quiz
Time
31
Scaling from an
IT/ Software/
DevOps Engineer
to a DevSecOps
Engineer
Only 21% of the [companies] believe that
their organization’s present culture and
practices support collaboration across
development, operations and security
~Freedom Dynamics
(IT Industry Analysis)
33
In regulated industries, security plays a critical role in the entire software development process and the
security touchpoints are interwoven with the CI/CD pipeline to make security as the underlying DNA of
the delivery pipeline
Container runtime
Security
DAST
Container Image Container Image Container Image
Plain
Code Security Dependency
Text License Risk
vulnerability Hotspots Analysis
Secret Binary non containerized Non Container Non Container
artefact (exe, war etc.) ized artefact ized artefact
36
Tools
for SecOps
There are several tools available in the market to help with SecOps. But it is important for one to carefully select the right tool that matches
the needs of development and infrastructure.
SAST
SCA
Container
Security
DAST
37
The Impact
during the final stages of intelligence impedes developer's may lack the necessary monitoring activities during the CD cycles.
deployment, that does not always ability to address security issues controls to prevent bad Consequently, defect fixing takes precedence
detect the full scope of security and make effective decisions while components from being over feature building and technical debt rises
defects; as a result, organizational coding introduced or remaining in the which curtails innovation. Continuous Integration
pressure increases on developers ecosystem and being reused (CI) cycles become clogged with a growing
to fix their code and release on across the application portfolio. backlog of defects that take developers away
time. from building new products and features.
38
Pre-requisites to
adopt
DevSecOps
Model
Automate the process as Follow the DevOps Train to code securely Evaluation of Current Security
much as possible methodology measures and concluding what to
do to overcome problems
Integrate the security to Monitoring Continuous Analyse code and do a Mandatory Security at
DevSecOps and adopting Integration and vulnerability Assessment Every Stage
the right DevSecOps Continuous Delivery
toolset
40
Continuous Feedback
Continuous Security
Continuous Governance
41
User1
Real time code quality Daily code Branch Protection(Min
Local Copy
scan in IDE push Gated Check-in approving review, deny stale
of the repo
PR, signed commits, privilege
merge)
Project Root
• App Feedback Channel
Control Gate to break
• Dockerfile Control Gate to break Control Gate to break
pipeline on image
pipeline on validation failure pipeline on build failure
vulnerability
• Jenkinsfile
• docker- Containerize Perform Dockerfile
Perform Image Sign Perform Image Scan Perform Build
compose/k8s Application validation
manifest files
for deployment Scan the application Build the codebase with
Sign the image Create application docker Validate Dockerfile best
image generated against appropriate build tool
generated to ensure image practices
base image & other integrated with the
image integrity
vulnerabilities pipeline
Pre-commit code
Perform repository scan Perform static code Perform vulnerability
review through Perform dependency Invoke unit test suite
for passwords, keys, review with a quality scanning of the
PR/IDE based analysis
tokens etc. gate configuration codebase
plugins
Project Root
• App Feedback Channel
Control Gate to break Control Gate to break
• Jenkinsfile
pipeline on validation failure pipeline on build failure
44
Indicative
CD workflow | Containerized Applications
Container Registry
Post-Deployment
SCM Perform Pre-Deployment
Pull Image Validate Signature Deployment Validation with auto
Check
rollback
Feedback Channel
45
Indicative
CD workflow | Legacy Applications
Container Registry
Post-Deployment
SCM Perform Pre-Deployment
Pull Artefact Validate Signature Deployment Validation with auto
Check
rollback
Feedback Channel
Control Gate to break CT Control Gate to break CT
Control Gate to break
pipeline on performance test pipeline on coverage %
pipeline on DAST
failure deviation
failure
46
Continuous
Deployment Strategies
In an enterprise level, deployment and release follow multiple patterns and the DevOps platform should seamlessly support
the different deployment patterns
The best choice comes down to the needs and constraints of the business and the application owners and the most
critical considerations to be followed in choosing the deployment pattern are as follows -
47
With
multiple deployment patterns in place, a comparison across
business risk, duration, complexity and cost is often helpful
Business Rollout Parallel Rollback
Pattern Description Risk Cost Duration Complexity Operations Complexity
Recreate Fully scale down the existing application
before you scale up the new application
High to Low
48
Axis Centralized
Continuous
Integration and
Continuous
Deployment
Platform
The
Axis centralized DevSecOps platform - HOI
Acunetix for
Checkmarx JFrog Twistlock for
Bitbucket for Dynamic
Jenkins for Continuous for Static Artifactory for container
code Application
Integration/Deployment Application artifact static and
versioning Security
Security repository runtime Testing
Testing security
50
The
Axis centralized DevSecOps platform architecture
EKS Cluster
Other
BOF Thanos Slaves
Application Specific Build & Deployment Agents
On-
Prem
51
Axis project archetypes and pipeline mapping
No CI possible, CD can be adopted
Both CI and CD can be adopted
for continuous deployment
with more control on code quality
1 2 3
Code is developed in OEM Code is developed in OEM The code is developed, maintained
environment environment and deployed in Axis environment
Package(Image, ear/dll) uploaded to Code uploaded to Axis Code Code is committed to Axis Code
Axis artefact repository for deployment Repository Repository
2 2 2 2
2 2 Microservices Microservices Legacy CD
Legacy CD Legacy CD
Microservices CD pipeline CD pipeline pipeline
pipeline pipeline
CD pipeline
Validation and if • Define the security scan DevOps team to review DevOps , Cloud and
found fit proceed thresholds the implementation and Infosec teams to provide
with the provide the handholding the required support per
assessment • Handover the pipeline
template and code required need basis
snippets
53
2 3
CI Pipeline
Secret Management
(Gemalto/HashiCorp Vault)
Code Build Push package to secure
registry & Scan
•
•
Branching strategy
Branch Protection (PR based
• Production Grade Build Package Scan
Configuration
merge instead of manual) • Configuration File Check • Push versioned application image to the
• Docker Image Scan secure container registry (Jfrog)
(Twistlock)
• Publish result
CI Pipeline
Secret Management
(Gemalto/HashiCorp Vault)
Code Build
Package Sign
• Branching strategy • Production Grade Build
• Branch Protection (PR based Configuration
merge instead of manual) • Configuration File Check • Sign the package with
jarsigner/signtool for
jar/ear/exe/dll
• Publish Result
CD Pipeline
Vulnerability
Scanning Secret Management
1 (Gemalto/HashiCorp
From external Vault)
partners Pre-Deployment Check Post-Deployment
(docker
Check Container
image)
• Verify Kubernetes namespace and system Runtime Security*
resources (CPU, RAM) are available for
• Monitor application deployment status
application.
• Rollback if deployment fails • Runtime visibility into
• Verify required pod security policy, network
• Clean up artefact if deployment failed containerized environments
policy, etc. are present on Kubernetes.
• Notification to relevant stakeholders (TwistLock)
• Verify RBAC is enabled for the cluster
CD Pipeline
Vulnerability
Scanning
Secret Management
1 (Gemalto/HashiCorp
From external Vault)
partners Pre-Deployment Check Post-Deployment
(jar/ear/exe/dll
/sln etc.) Check
• Server reachability
• Verify server resources (CPU, RAM, Diskspace,
• Monitor application deployment status
etc.) are available for application
• Rollback if deployment fails
• Deployment dependencies are met
• Clean up artefact if deployment failed
• Notification to the relevant
stakeholders
Bitbucket JFrog
MS 1 CD
#Design Option II
58
Developer
To-Be CI Pipeline
Trigger Notification Channel
Code Commit
Bit Bucket
Push Docker
Code Pull Build Docker
Yes Yes Image to Non-
Yes Yes Image Prod Account
Perform
Build
Met
1 2 3 4
Met
SAST 6 7 Twistloc
k SLAs
9 10
SLAs?
2 Bit Bucket
To-Be CD Pipeline for Prod
Environment
Pull Pipeline and
Pipeline Parameters deployment manifests
• Environment
• Vault URL and Path
• Vault Credentials
Break Pipeline 3 Pre-Deployment
Checklist
• Image Name and Fails
Tag Pull Docker Image from
4 Pull Docker Image from
Prod Account
UAT Account
Trigger Notification Channel
Image sign
5 Tag and Push Docker verification
Image to Prod Account Enabling RBAC
PSP Policies
Rollback Namespace Isolation Cluster
Deployment Pod Network policies Monitoring
Fails 6 Cluster Hardening
Trigger Fluentd Agent
Deployment CloudWatch Agent
Dynatrace Agent Logging APM
Prod
Cluster
Amazon
7 EKS
Key & Secret
Management
9
Run-time Container
Scanning
Tools Integrated as part of CI/CD in Axis Platform:
• Jenkins HOI Centralized (To automate CI/CD process)
• Jenkins slave (An instance running on AWS cloud used to run the application specific jobs)
• CD tools: Amazon EKS - for deployments with kubectl or helmcharts & various others (Jboss
CLI, OCP cluster, Azure CLI)
• BitBucket Centralized SCM (For version control of source code)
• Checkmarx (For SAST and OSA scan)
• NodeJs, NPM, Maven & various others (To build the application and provide the final artifact)
• Jfrog Centralized Artifactory (To store various versions for artifacts for application)
• Notary (For Signing Docker images)
• Twistlock (For docker image scan)
• Acunetix (To run DAST scan)
• Gemalto, Hashi-Corp Vault (For Key and Secret Management)*
• Cluster Monitoring & Logging (Cloud Watch, Elasticsearch, Fluentd, and Kibana)*
• Dynatrace (Application performance monitoring)*
• Cypress (For functional testing)*
• Email & Teams Notifications
Note: * tools mentioned above are Application specific and depends upon Application Architecture
Jenkins DevSecOps CI pipeline:
Jenkins DevSecOps CD pipeline:
Jenkins DevSecOps CICD pipeline:
Pipeline
Control Gates and Thresholds
CI Pipeline CD Pipeline
Pre-Deployment
Checkmarx Twistlock Check
Cluster health, Namespace,
Resource Quota. PSPs,
Static Application Dependency Image Scan for server reachability etc.
Security Testing (SAST) Analysis** Microservices
Non-Prod
Pipeline
High Medium Low High Medium Low Critical High Medium Low Verify Image
Control Gates is enabled in the pipeline as per the threshold Control Gates is enabled in the Signature
defined in infosec policy pipeline as per the threshold
Prod
e.g. block all high & medium vulnerabilities in lower environments and defined in infosec policy Pipeline
block high, medium and low for production* e.g. block all critical & high
vulnerabilities in lower environments Break pipeline Break pipeline on
and block critical, high, medium and
on signature checklist failure
low for production
mismatch
Any breach in threshold breaks the pipeline and notifies the team with along with the scan report from the respective tool
Threshold values are defined at the pipeline level and are Threshold values are defined at
protected against accidental change the server level * Example threshold, not actual
65
** Currently not operational
Success Stories
Success Stories so far…
Branch of Future Branch of Future – UAT Pipeline
2.48 3.23
5 5
Continuous Integration AS-IS Current
6
5
4
3
2
1
0
Branch of Future – SAST & Image Scan integration with the Pipeline
67
Success Stories so far…contd.
68
• Uniqueness of DevOps and its practices to make Axis
High Performing