Implementing DevSecOps with Docker and Kubernetes: An Experiential Guide to Operate in the DevOps Environment for Securing and Monitoring Container Applications

CHAPTER 1

Getting Started with DevSecOps

In this chapter, we will review DevSecOps challenges, methodologies, and tools as a new movement that tries to improve the security of applications. The idea of DevSecOps is to take security as a requirement in the application design, development, and delivery processes.

Structure

We will cover the following topics in this chapter:

From DevOps to DevSecOps

Getting started with DevSecOps

DevSecOps methodologies

Continuous integration and continuous delivery

DevSecOps tools

Objectives

After studying this chapter, you will be able to understand the concepts of DevOps and DevSecOps. You will also understand DevSecOps methodologies, grasp the concepts of continuous integration and continuous delivery, and learn about DevSecOps tools.

From DevOps to DevSecOps

Today, DevOps allows organizations to deploy changes to production environments at faster speeds without comparing them to classic methodologies. Basically, it’s a set of practices that combines the development and IT operations teams with the aim of shortening software development life cycle with CI/CD practices. A DevOps process would have the following phases:

A developer writes the code using the development environment of their choice and uploads it to a centralized code repository like Git or Bitbucket.

The Continuous Integration (CI) server downloads the source code from the central repository and packages the built artifacts and binaries. For example, Docker images are created and pushed to the Docker registry for containerized applications.

These artifacts and binaries are downloaded from the repository to be deployed in different pre-production and production environments, where they are built using container technologies like Docker and Kubernetes.

Containers are built from the Docker images. If the environment is not a containerized one (like VMs), sometimes the process is just copying the binaries to a drop location.

From a security point of view, DevOps could include a number of best practices that can be applied to increase the security of applications. These best practices include the following:

Add automated security testing techniques, such as fuzz test and software penetration testing, to the software development lifecycle or system integration cycle

Standardization of the integration cycle to reduce the introduction of errors

Introduction of security issues and limitations to software and systems development teams at startup of the projects

At this point, we can introduce DevSecOps as a methodology that aims to integrate security tools into the DevOps process in an automated way.

This necessarily leads to a cultural change in the normal operation of DevOps, and teams must be trained so that they understand what tools they have at their disposal, what they can achieve, and how they work, which allows efficient collaboration between teams, creating a robust security culture in the organization and development teams.

As a result, this multicultural and multidisciplinary automated security environment makes security an issue that affects everyone and not just a single team. This is one of the main engines of DevSecOps.

The following image shows how we are introducing security in DevOps:

Figure 1.1: DevOps vs DevSecOps

Getting started with DevSecOps

The speed at which organizations want to launch software products, especially with DevOps, needs you to have the right tools and processes in the right place. It is in those cases that DevSecOps brings greater value to organizations by incorporating privacy and security into DevOps practices, while allowing you to continue operating with an enhanced level of cybersecurity.

DevSecOps is an initiative that aims to adopt security practices to include them in the DevOps process. Gartner provides a more precise definition: "DevSecOps is the integration of security in DevOps development in the most fluid and transparent way possible. Ideally, this is done without reducing the agility or speed of developers or without requiring developers to change their tools in the development environment."

These are the practices of how DevSecOps is implemented:

Integrate security tools in the development integration process

Prioritize security requirements as part of the product’s backlog

Collaborate with the security and development teams on the threat model

Review infrastructure-related security policies prior to deployment

In those circumstances, applying a DevSecOps methodology is the best option for organizations as it incorporates best practices into the core of the software product development cycle. It does this by integrating security practices into all areas of software development, from infrastructure and continuous integration to deployments and continuous delivery of applications.

In addition, applications should follow information security best practices, including issues like data integrity, availability, and confidentiality, helping developers become aware of how to code in a secure way and the need to understand security best practices.

Advantages of implementing DevSecOps

The DevSecOps philosophy makes all team members, regardless of whether a security is their specialty, aware of the need to apply best practices in this matter.

All this will contribute to adding value to the projects carried out. They are not only intended to be functional and easy to use, but security is taken into account as an element of the development process to create secure code. This will allow vulnerabilities to be detected faster and improve responsiveness and patching to any security threat.

Here are some of the benefits of implementing DevSecOps:

Early identification of potential vulnerabilities in the code is encouraged.

Greater speed and agility in applying security in all phases of development.

Throughout the development process, tools and mechanisms are provided to quickly and efficiently respond to changes and new requirements.

Better collaboration and communication between teams involved in development, as in DevOps.

In this way, tasks related to application security can be subject to automation and monitoring mechanisms if security elements are integrated from the early stages of development.

In addition, the different teams in charge of development and operations become familiar with the security factors and apply them from the beginning, preventing possible security breaches. So, secure and stable versions of software are created in a short time, and these can be made directly available to customers. This means both customers and organizations benefit from the new possibilities.

DevSecOps lifecycle

Just like DevOps proposes the integration of tools to ensure the correctness of the code throughout the development cycle, DevSecOps suggests the integration of security tools as part of the continuous integration and deployment processes.

The integration of these tools make up pipelines known as application security pipelines, which can be abbreviated as app sec pipelines. These pipelines may include phases like code review automation, security testing, security scans, monitoring, and automated report generation.

This is the lifecycle and the flow of different phases in the DevSecOps ecosystem where the security process will be part of the entire life cycle:

Figure 1.2: DevSecOps life cycle

With the final result of this pipeline, the requirements specification phase, and the implementation, configuration, and deployment of all the tools involved, we can execute the complete DevSecOps cycle, securing each of the phases with specific tools and integrating the entire process with continuous feedback in each phase.

The main benefits of this new culture of operations, development, and security are:

More automation up front reduces the chances of mismanagement and lowers errors.

According to Gartner, "DevSecOps can lead to security functions such as Identity and Access Management (IAM), firewall, and vulnerability scanning being programmatically enabled throughout the DevOps lifecycle, leaving security teams free to establish policies."

Security incidents are reduced and security is improved through shared responsibility between all teams.

Vulnerability remediation costs are reduced.

When we integrate security into the development process instead of a layer that’s added later, we allow the power of agile methodologies to be harnessed by DevOps and security professionals with the aim of avoiding blocks to generate secure code.

ShiftLeft security

DevSecOps practice consists of including security in DevOps to adopt the good practices and benefits that the latter offers in development processes. To do this, it proposes to carry out a security shift left, incorporating security practices from the earliest stages of the development cycle.

These practices begin with the training and awareness of developers, as well as the involvement of stakeholders, being essential to the commitment of all parties regarding the security of the software.

Security must be considered from the design phase to avoid delay in project delivery. To reconcile agility and security, the solution lies in implementing security from the beginning of the project and not after it is completed.

Integrating security into an agile development cycle should start as early as possible, that is, in the requirements definition phase. This approach, called Security Shift Left, includes an orientation toward the principle of the security approach, allowing the software development process to have a totally secure workflow at each stage of the project development cycle.

For this, it is necessary to include the integration of security in the operational and development processes through the implementation of automatic systems and processes that are not only capable of detecting and alerting of security problems but also of reacting in case they detect a vulnerability.

DevSecOps methodologies

With a DevSecOps methodology, the objective is to integrate application security within the development cycle working with agile development methods linked to continuous delivery and continuous integration tools. Security requirements, which are often high, must be part of the process from the development phase to achieve this.

In this sense, efficient communication is necessary between the teams in charge of security, development, and IT operations. So, the interdisciplinary nature of the process is key to achieving a good implementation.

With the DevSecOps methodology, security mechanisms are already integrated in the early stages of development. This way, the time to launch can be dramatically shortened without having to compromise on security.

In fact, the security level tends to increase by incorporating the corresponding measures from the early stages instead of applying them as a security kit on the already closed product.

Applying the DevSecOps methodology

There are six important components in the DevSecOps methodology:

Code analysis: Deliver the code incrementally, with the aim of being able to detect vulnerabilities quickly.

Change management: Increase speed and efficiency by allowing changes to come from any source, and then determine if these changes are beneficial through a review process.

Compliance monitoring: Be ready for an audit at any time (RGPD).

Threat research: Identify potential emerging threats with every code update and respond quickly.

Vulnerability analysis: Identify new vulnerabilities with code analysis, pentesting, and architecture analysis, and then analyze the response and patching times.

Security training: Train systems and development teams in good security practices.

It is important to note that the aforementioned falls mainly on the security team, but one of the greatest principles of DevSecOps is to decentralize security so that it becomes one more requirement in the development and delivery flow.

Tip: Why adopt DevSecOps?

Mainly because this approach decentralizes security, making it one more element of the workflow instead of something exclusive to the security department. This way, secure projects are developed, and security ends up being one more element of the organization culture through the DevSecOps methodology.

According to a survey carried out by GitLab, 30% of users claim to be part of a team focused on the security of the applications they develop, but 45% of developers still consider that security tests are carried out in a phase too late in the life cycle.

Security testing

Security testing in code is an essential element of a DevSecOps tool because it helps determine application security flaws at the code level, before they can be exploited by an attacker. So, it is important to analyze all the dependencies that are being used in the application and check them for vulnerabilities that arise from the lack of security patches.

Security testing is often called intrusion testing or penetration testing. This testing can be carried out in two modes: white box or black box. It is aimed at breaking the security measures of a system.

White box testing allows static analysis, checking the internal functioning of the applications, and having all the necessary knowledge through source code and architecture.

Black box testing focuses on examining the functionality of the application without the knowledge of its internal structure using dynamic analysis. The test cases of this approach focus on exploiting the interaction with the application from the outside (APIs, databases, files, protocols, input data, and so on) to break the application’s security measures.

Specific teams of attackers or adversaries called Red Team and teams of defenders called Blue Team are often employed to organize and optimize security tests on an ongoing basis. Red team members explicitly put themselves in the role of an adversary or attacker and operate independently and continuously. Members of the blue team focus on monitoring and defending a system against these attacks.

The main advantage of using white box testing is that it saves development time and costs by identifying vulnerabilities during development. This way, developers can spend time developing and innovating, rather than correcting bugs in applications deployed in production.

You can scan your source code for known vulnerabilities if you are using GitLab as your CI/CD continuous deployment and integration application. GitLab performs a comparison between the source and target branches and displays the information directly when merging between the two branches.

Tip: Security testing with GitLab

If you are working with GitLab, this tool supports both static and dynamic analysis and automatically includes extensive security analysis every time a commit or pull request is performed. This includes static and dynamic security testing, along with dependency and container analysis.

GitLab secure:https://docs.gitlab.com/ee/user/application_security/

Static analysis:https://docs.gitlab.com/ee/user/application_security/sast/

Dynamic analysis:https://docs.gitlab.com/ee/user/application_security/dast/

Dependency analysis:https://docs.gitlab.com/ee/user/application_security/dependency_scanning/

Container analysis:https://docs.gitlab.com/ee/user/application_security/container_scanning/

Security code review

A security code review is an activity that consists of analyzing the software’s source code to find errors and security problems. This activity can be carried out both in traditional and agile development processes. It allows us to identify problems like common programming errors, incorrect use of security tools provided by frameworks, insecure use of cryptography primitives, and incomplete development of a requirement, among others.

In agile methodologies, it is usually convenient to perform a code review every time a change is made. These reviews can be carried out by the developer who made the change as well as by another person. At the same time, it improves the code quality by verifying that it complies with guides and good coding practices, whether they are specific to each language or to the organization.

Various types of reviews can be performed on the code in order to detect security problems like peer reviews, code audits, and automated code reviews.

Continuous integration and continuous delivery

DevOps manages principles that are part of the collaborative structure and are used throughout the development and deployment of applications. The following are the principles in which DevOps operates:

Continuous integration

Continuous delivery

Continuous deployment

Software integration raises problems that are known to those involved in software development—new code is written that implements a new feature and integrates with the rest of the project by performing unit and integration tests.

In order to avoid errors at the end of the development phase, many teams are committed to applying continuous integration, with which we can implement changes directly in the project every day, and if possible, several times a day.

Like continuous delivery, continuous integration is a common practice, especially in the field of agile software development. The goal of this approach is to work in small steps to achieve a more effective development process and to be able to react more flexibly to changes.

Since they work with small functionalities that can be developed in hours or a few days, integration is done quickly and the developer can make their work available to the rest of the team in just a few minutes. Any errors discovered in this process can be quickly located and fixed.

Continuous Integration (CI)

Continuous integration is the way in which the software development team integrates its partial or total work, in a certain time established by the work team. It requires automation tools that are unique to the entire team of developers. These tools help integrate in continuous form parts of code that are validated by automatic tests, which makes the development team’s work more efficient by allowing them to detect failures in the early stages of the development cycle.

Continuous integration originated under the extreme programming methodology and is a software development practice that requires the periodic integration of code changes into a shared repository. Several useful steps can be followed to have a continuous integration process:

Have a code repository in which the development is centralized. Each developer works on small tasks, and the changes to the central line of the repository are included when each task is finished.

Start a process of compilation and testing in an automated way, which proves that the changes and additions are correct and have not altered any part of the software. For this to work properly, there must be a good set of tests that can be trusted.

Execute this process several times a day, paying attention to the reported errors, which become a priority until they disappear. With this, we can have the latest functional version of the project status on the main line, a version that is updated several times a day.

The following image shows the continuous integration pipeline where developers integrate their code in the repository. Every time a commit occurs, a build tool and CI integration server are in charge of executing the construction process automatically, in addition to executing the tests to verify that the uploaded code is correct from functional the point of view:

Figure 1.3: Continuous integration pipeline

The continuous integration tools (CI tools) help in repository creation, execution of tests, compilation, and version control, sometimes autonomously and sometimes in combination with other applications.

Orchestrating CI

One of the things necessary to achieve the objectives set by the DevSecOps methodology is the coordination of the work done by the team of developers. This is when the concept of continuous integration comes into play. Its main objective is to coordinate and integrate the work of the entire software development team in a main line frequently and deliver the product with these new changes as soon as possible. Jenkins is one of the leading engines for monitoring continuous integration.

Jenkins https://jenkins.io is probably one of the best-known continuous integration tools in the market. This software written in Java has been in constant development since 2005 and has numerous functions that assist in continuous integration, deployment, and continuous delivery. This tool can be used mainly to orchestrate processes in software development. Let’s highlight its main capabilities:

Open source and written in Java programming language

Great support for plugins that add new functionalities

Complements on delivery tasks and continuous deployment

Compatible with many version control systems

Controls via GUI (web-based), REST API and command line

Execute manual or automatic tasks

Distributed execution in agents

Jenkins acts by orchestrating each process and the main function is to download sources from version control, compile them, run tests, and generate reports.

Selection of continuous integration tools

In principle, continuous integration can be applied without the need for specific tools as all phases can be carried out manually, but this would require a lot of time and discipline. The appropriate tools can help facilitate work since they usually provide a server and help in the compilation of the project and version control.

Today, we can find a wide variety of tools for Continuous Integration (CI). They all aim to help the developer implement this methodology, and they do it in different ways. These tools not only differ from each other in terms of their features, but there is also a great variety when it comes to licensing.

While many of them are open source and freely available, other vendors offer commercial tools. The most used tools in the market whose objective is continuous integration are:

Travis CI https://travis-ci.org. It is a continuous integration tool that works in conjunction with GitHub repositories and can be configured with a YAML file saved in the root directory of the project. This way, GitHub informs Travis CI of all the changes made in the repository and keeps the project updated every time there is a change in this file. The main features are as follows:

Multiplatform and developed in Ruby

Works with GitHub repository

It is configured with a YAML file

Free for open source projects

Open source (MIT license)

Bamboo https://www.atlassian.com/software/bamboo is a solution developed by the Atlassian company, which also manages the Bitbucket file hosting service and allows the execution of continuous integration tasks, deployment, and release management functions. The main features are as follows:

Multiplatform and developed in Java

Provides a web interface and REST API

Free for open source projects

GitLab CI is part of the popular GitLab version control system and is compatible with GitLab CI Docker. In addition to continuous integration, GitLab offers continuous deployment and delivery. As with Travis CI, the GitLab CI configuration is done with a YAML file, and pipelines can be configured and adapted to the requirements of each project.

You can get more information about this tool in the GitLab documentation at https://about.gitlab.com/stages-devops-lifecycle/continuous-integration/.

CircleCI (https://circleci.com) is a continuous integration tool that works with both GitHub and Bitbucket repositories. One of the main advantages offered by CircleCI is its ability to automatically run compatible builds in different environments, thanks to the use of Docker containers. The main features are as follows:

Configuration with a YAML file

Supports also continuous deployment

You can deploy it on-premise or using hosting with a cloud provider

The free tier allows deployment in a container

CruiseControl (http://cruisecontrol.sourceforge.net/) has probably been the oldest continuous integration tool since its launch in 2001. It has been developed ever since, by Martin Fowler, a pioneer in the field of continuous integration, among others. Along with a clear dashboard, developers have numerous plugins at their disposal to make their work easier. CruiseControl offers developers a control panel where they can check the build status, and its main features are:

Cross-platform and written in Java

Web-based dashboard

Versions for Ruby (CruiseControl.rb) and .NET (CruiseControl.NET)

Open source (BSD license)

Codeship (https://www.cloudbees.com/products/codeship) is a continuous integration tool developed by CloudBees with support for GitHub, BitBucket, and GitLab repositories. The tool is available in two versions: the basic version with a simple web interface, and the professional version that offers support for working with Docker containers. It offers a pre-defined CI environment and CI/CD workflows in its free version, which allow for simultaneous build testing on shared and pre-configured containers. The main features are as follows:

Web interface in the basic version

Configuration files in the repository in the professional version

Support for Docker containers in the professional version

Free tier for 100 builds per month in a test pipeline

TeamCity (https://www.jetbrains.com/teamcity) is a software that has "gated commits" as its main functionality, allowing the tool to verify changes in the code before integrating them into the main branch. So, only when the code is free of errors and the tests have been run correctly does it become part of the code base for the whole team. The tool automatically runs tests in the background so that the developer team can continue working on the code.

This tool emphasizes interoperability with other tools, and thanks to the pre-tested commits feature, it has the ability to check the new code before integrating it into the main line and inform in case it detects any errors. The main features are as follows:

Cross-platform and written in Java

Gated commits

Free tier for 100 builds with 3 build agents

Offers 50% discount for startups and free for open source projects

Continuous delivery (CD) - Pipelines in software development

Continuous delivery is an innovative concept of software development that is being heard more and more frequently. Thanks to this practice, the production phases that include development, quality control, and delivery are automatically repeated throughout the development process through a continuous delivery pipeline.

The main advantage is that with this methodology, software can be built under quality controls every so often in each of its development phases, allowing deliveries to be made even if the team continues to work on the development of the final product.

Figure 1.4: Software delivery pipeline

In Continuous Delivery (CD), the integrated code (IC) is automatically tested through many environments throughout the process to reach the preproduction phase, where it is ready to be implemented definitively. The interaction between CI and CD is called CI/CD. Additionally, the pipeline provides continuous feedback, which allows us to improve the software immediately after each modification to the source code.

Advantages of continuous delivery

Software development worked differently earlier—the final product was only delivered if all functionalities were fully developed, worked perfectly, and no major flaws were detected when quality tests were performed. So, the developer had to release patches or updates every so often. Thanks to continuous delivery, the customer receives the product at an earlier stage of development, wherein it has not yet been completed.

This pre-delivery usually includes the structural functionality of the software so that the customer can test it in a real environment. This way, the client themselves (or the software tester) play an important role in the quality control process.

Thanks to the feedback received, the developer can improve the functionalities of the product in the development phase. Additionally, they receive valuable information that gives them a clear idea about what functionality they should develop next.

In this way, the three areas that include development, quality control, and production are not replaced by a single process but are constantly interconnected. When working with multiple clients, it is impossible to achieve something like this if we do not have automated processes. This is where continuous delivery intervenes as it is responsible for automating the entire process.

Thanks to continuous delivery, we can check the processes and improvements implemented on the software in real time to get feedback. If a change generates unwanted side effects, we can detect them quickly and take the necessary actions early in development. This point is an important improvement because it facilitates, for example, the detection of bugs within the code.

Continuous Integration (CI) versus Continuous Delivery (CD)

The term continuous integration often appears in the same context as that of continuous delivery. However, an important difference affects the scope of both terms. We are referring to the automation of the testing process when we talk about continuous integration, so the pipeline is a shared component with continuous delivery. Continuous delivery is a broader term as it encompasses the software delivery process as an automated process.

This way, continuous delivery complements the continuous integration model and involves the end user as they deliver the product and simultaneously run the relevant tests. The following table compares the two concepts: