DevSecOps and Automation

Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common, especially on cloud-based platforms. However, meeting FedRAMP and FISMA related compliance requirements as part of the Security Accreditation and Authorization (SA&A) process requires additional steps in the CI/CD pipeline.  Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify, and others can provide additional reports and information requires by the IA team to help ensure compliant with FedRAMP and FISMA requirements.

Implementing Security in the CI/CD Pipeline

The CI/CD or DevOps Security lifecycle begins with code development and integration. As the code is committed for deployment, the CI/CD security processes are activated. Common action items including static code analysis, vulnerability scanning, anti-virus scans, and other similar integrity functions. The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization. SecDevOps includes the execution of automated scanning tools and manual security reviews of results by the Security Team in order to facilitate the application deployment process. Key areas of concern for the IA team include static code scanning, dynamic code scanning, anti-virus, vulnerability scanning, and NIST SCAP compliant reporting and analytics. stackArmor’s DevOps and Compliance Engineering teams have implemented Secure DevOps solutions for Agencies including US Treasury, HUD, and GSA 18F amongst others.

Platform-as-Code and Shifting Compliance to the left

Deploying and managing applications in the cloud at scale requires using automation techniques as opposed to using the command line interface or console to execute instructions. The extensive use of technologies like Terreform, Ansible and Cloudformation offer “scripting” options. There are higher level automation solutions like AWS Control Tower to orchestrate deployment of multiple accounts and implement a landing zone. Every organization must make a determination on the right approach for them based on specific requirements. These requirements could include the need to deploy in various regions, leveraging specific cloud services, cost, and complexity trade-off’s. Sound very complicated?

stackArmor’s architects and engineers have helped organizations adopt and implement the right infrastructure-as-code solution. Leveraging cloud-native solutions like AWS CDK released in 2019 helps simplify the creation of “compliance templates”.  AWS CDK uses the familiarity and expressive power of programming languages for modeling compliance templates or landing zones (for our use case). It provides high-level components called constructs that preconfigure cloud resources with proven defaults, to provision resources in a safe, repeatable manner through AWS CloudFormation. It also provides support for Terraform using cdk tf for defining Terraform HCL state files in TypeScript and Python. For kubernetes users, the cdk8s project enables the use of CDK constructs for defining kubernetes configuration in TypeScript, Python, and Java. cdk8s can be used to define kubernetes infrastructure running anywhere and can be used with the AWS CDK’s Amazon Elastic Kubernetes Service (Amazon EKS) construct the library. The power of AWS CDK allows us to express our compliance templates using simpler and more streamlined programming abstractions reducing the time and the aggravation associated with developing large complex cloudformation templates. The use of AWS CDK allows us to truly implement infrastructure as code and implement DevSecOps at the foundational level and shift security and compliance to the left. The infographic below provides an overview of a CI/CD pipeline with in-built quality and security checks.

 

 

Contact us by filling out the form below if you are interested in learning more about our DevOps and Cloud Automation Consulting services: