Oracle Cloud Infrastructure Documentation

DevOps Security Challenges and Considerations

The introduction of infrastructure as code (IaC) methodology has required organizations to adapt quickly and implement new processes for operating, developing, and maintaining applications in different environments, such as on-premises and multicloud. An increase in processes and speed can lead to security gaps. As a result, processes have been refined over time to implement more efficient and secure deployment and product release cycles. The new security processes integrated with IaC methodology are referred to as DevSecOps.

Use the Oracle Cloud Infrastructure (OCI) DevOps service to achieve your DevOps objectives.

The OCI DevOps service is a complete continuous integration and continuous delivery (CI/CD) platform to simplify and automate the software development lifecycle. The DevOps service enables collaboration on developing, building, testing, and deploying software. You have visibility across the development lifecycle and get a history of source commits through build, test, and deploy phases.

During the DevSecOps definition process, you must analyze components of the CI/CD pipeline in your deployment process to strengthen security defenses. Also consider how to improve source code and protect code repositories.

How DevSecOps Works and Why You Need It

The goals of DevOps methodology have always been to increase efficiency and speed up deployment production. The goals for DevSecOps are the same as DevOps, with the addition of securing all components used in various deployment processes.

DevSecOps is a shared responsibility with all stakeholders, including the cloud provider, DevOps engineers, test engineers, application owners, and security analysts. You must find the right balance to maintain speed and agility during the software lifecycle, while maintaining the appropriate level of end-to-end security.

The DevSecOps Maturity Model (DSOMM) provides security measures that are applied when using DevOps strategies, and how to prioritize them to enhance security. For example, use the model to determine how to test each component, such as application libraries and operating system libraries in docker images, for known vulnerabilities.

Applying DevSecOps in OCI

The following information provides the typical DevSecOps workflow that takes advantage of OCI features.

  1. A developer creates code within a repository (for example, in the DevOps service with policies/permission and third-party code repositories such as GitHub and GitLab). To integrate with third-party code repositories such as GitHub and GitLab, create a personal access token (PAT) in GitHub or GitLab, and then store the PAT in an OCI vault.

  2. The changes are committed to the continuous integration and continuous delivery (CI/CD) tool to build.

  3. The CI/CD tool can do either of the following things:

    • Can invoke a third-party tool for the analysis of static and dynamic code to identify any security defects or bugs in code quality such as Sonatype, SonarQube, or OverOps.
    • Push the newly built container image to an Oracle Cloud Infrastructure Registry repository with scanning capability enabled. Then the CI/CD tool obtains the results of the image scan by using the Vulnerability Scanning REST API. Based on the results of the image scan, your CI/CD tool can then determine whether to move the image to the next stage in the lifecycle.

  4. If the code analysis or the image scanning passes, automated tests are performed, such as security, API integration, and user interface testing.

  5. When the application and code pass these tests, the best practice within the deployment pipeline is to add a control stage approval. An approval stage pauses deployment for a specified time, during which an approver is notified of deployments, and then manually supplies approval.

  6. When the deployment pipeline has been approved, the application and code are deployed to the OCI platforms in your production environment that include: Compute instances (virtual machine and bare metal), Container Engine for Kubernetes (managed Kubernetes) clusters, and OCI Functions (serverless functions).

  7. The environment where the application is deployed must be monitored continuously to identify security issues. In addition, perform the classic monitoring of metrics and service logs using OCI services such as Application Performance Monitoring (APM), Logging, and Monitoring. Configure monitoring systems to respond to security threats quickly by using native OCI functions, such as Notifications. You can also integrate logs with ticketing systems (for example, ServiceNow) or third-party SIEM systems.

DevSecOps deployment pipeline in OCI.

DevSecOps Best Practices

We recommend the following DevSecOps best practices.

  1. Enforce policy and governance.

    A successful DevSecOps process adheres to and implements strong governance focused on security functions, such as Identity and Access Management (IAM), and privileged access management (PAM). The process must also define roles for the DevSecOps model, provide proper training, and stay up to date on the latest safety techniques.

  2. Automate your DevOps security processes and tools.

    Use automation in your DevOps process to reduce risks from human errors and security incidents. Use of more efficient tools and automation results in faster DevOps security processes and more resilient applications. OCI provides security tools for code analysis, configuration management, patching, and vulnerability management with OS Management and Oracle Vulnerability Scanning Service. Privileged credential and secrets management is provided with Vault.

  3. Perform comprehensive discovery.

    Continuously validate, monitor, and include all devices, tools, and accounts in accordance with your security policy. This process helps align your OCI assets to adopt a Zero Trust security model.

  4. Conduct vulnerability management.

    All types of vulnerabilities must be considered, cataloged, validated, and remediated before application deployment goes into production. We recommend integrating the OWASP DevSecOps Guideline with your DevSecOps security testing.

  5. Secure access with DevOps secrets management.

    When you implement DevOps processes, prioritize managing the security and lifecycle of credentials and identity accounts in your code. Vault can help you achieve secrets management.

  6. Control, monitor, and audit access with privileged access management.

    Adopting OCI services such as IAM, DevOps IAM Policies, Logging, and Monitoring, can help you manage privileged access.

  7. Segment networks.

    When you define DevOps processes, you must segment your networks to reduce attack surfaces while isolating different work environments (for example, isolating production from development test environments).

For more information, see the Self-Service Landing Zone, which meets the CIS Foundations Benchmark for Oracle Cloud.