Cloud tools for DevSecOps

In this short post, I will cover the software development lifecycle,
the DevSecOps methodology, AWS development security, Azure development security, and GCP development security. Starting off with planning, where we obtain requirements for the software that will be developed. Defining, where we clearly define and refine those requirements into meaningful objectives. Designing, where you go through the process of organizing requirements so that we can properly architect and design the best software that meets these requirements. And then our software development team moves into actually developing or writing the software, before testing it with our quality assurance team so that our software doesn’t have any vulnerabilities or bugs before it is ultimately deployed and released to the customer.
The important thing about the software development lifecycle is that it gives us a clear and organized approach to writing and deploying quality software. The DevSecOps lifecycle involves applying the DevSecOps methodology where we seek to integrate security into development operations and the software development lifecycle. This lifecycle is infinity because the work is never done and we want to continually integrate as well as continually deploy software builds in a secure way that includes
and integrates security from the start rather than retroactively bolting on security as a remediation technique. This helps us identify vulnerabilities
and security issues earlier on in the software development lifecycle and enables the customer to remediate the security issues much faster and with less effort. At the customer's site application security teams begins by planning a strategy for the security analysis of software, as well as the method of security testing that we will be implementing. In the code phase, we perform code analysis of code as it’s being written and try to identify security issues while the code is being written and this can include following secure coding best practices.
In the build phase, when there’s a new build of the application, we want to make sure that static application security testing and software component analysis is performed as new builds are created. And prior to our release, we have the test phase where we perform dynamic application security testing prior to release. During the release phase, the DevSecOps methodology focuses on the management of configuration for the application
and application infrastructure, as well as access control and data security controls being implemented. When the application is ready to be deployed into production, it’s important that we identify the differences between production, staging, and development environments and make configuration changes when necessary. The monitor phase continues after the application has been deployed into production where we collect logs
and monitor the running application for malicious activity.
And this also includes some monitoring information related to containers, the web application firewall, runtime application self-protection, and security information and event management platforms. During the response phase, we respond to ongoing attacks, as well as imminent threats. We’re not only thinking about the best way to build software, but we’re also thinking about the best way to secure software in our application
even after it has been deployed. And as we can see, the DevSecOps lifecycle
secures and supports continuous integration and continuous delivery.

At AWS deployment, we have a number of services related to software development and bringing security to software development.
The CodeCommit service is a version-controlled service that helps us manage commits being made to our Git repositories so that the code that’s being committed to our repository is up to date and in line with any security fixes to our code. Next, we have CodeBuild which is a continuous integration service for helping with our build, test, and deploy phases
by continuously compiling code for new builds, testing that code, and preparing it to be deploy-ready. The next AWS service we have is CodePipeline which automates code release so that we can rapidly
and quickly release code updates as a part of continuous delivery.
And we also have CodeGuru which is a code review service that uses machine learning and artificial intelligence to analyze our code and tell us whether or not we’re using best practices, as well as identifying security issues within our code. When used early on within the software development lifecycle, code review can eliminate a lot of headaches
and identify security issues during the early stages of software development.

Azure has a suite of services offered as part of Azure DevOps, the first being Boards, which is used for the planning phase and leverages Kanban boards as part of project management for software development.
Repos is similar to AWS CodeCommit. However, it also integrates code review capabilities similar to those found within CodeGuru on AWS.
The Pipeline service automates the CI/CD pipeline by enabling automation for our code builds, as well as deployment of our application into our desired environment. Test Plans support the test phase of the DevSecOps lifecycle and allow developers and DevOps teams to leverage manual testing where you manually configure software components that you would like to test, exploratory testing for exploring different aspects of the code and uncovering components that you may have not tested well enough,
as well as automated testing. And last, there are Artifacts, which provides application package management for sharing and creating package feeds from public sources, as well as private sources so that we can easily manage which packages — whether they be Python or NPM — are being utilized within our code.

For GCP development, we have the Cloud Code service which is a set of plug-ins for IDEs such as VS Code, GoLand, and more that assist with coding for GCP. Cloud Build is similar to AWS CodeBuild and Azure Pipelines as it supports the building, testing, and development of software for particularly serverless platforms. While Cloud Deploy is a continuous delivery service similar to AWS CodePipeline that automates and streamlines the deployment of our software particularly for container images. GCP has a strong focus on serverless technologies and a variety of services to support and enable the development of software utilizing serverless platforms.

To recap, I went over the software development lifecycle, which included the phases of planning, defining, designing, development, testing, and deployment, which takes us through gathering requirements,
refining those requirements, designing the best architecture so that we can develop the best software, and then testing that software before it is ultimately deployed. Next, cover DevSecOps which is a methodology for integrating security into software development.
The DevSecOps lifecycle fits into continuous integration with planning,
coding, building, and testing, as well as continuous delivery with release, deployment, monitoring, and response phases, thus integrating security into the CI/CD pipeline so that we can have continuous integration and continuous delivery implemented with security from the start. So quote shifting left by moving security at the end of software development and starting it off in the planning phase. Looking at AWS development,
we talked about CodeCommit for managing repos, CodeBuild for continuous integration, CodePipeline for continuous delivery,
and the CodeGuru service, which can be leveraged to review our code for best practices and for identifying security issues within our code.
For Azure development, Azure DevOps Suite, which included Boards for planning the development, Azure Repos which is similar to AWS CodeCommit, and Azure Pipelines which is a CI/CD service for automating the build, release, and deployment of our code. Then we took a look at Azure Test Plans for testing our code, as well as Azure Artifacts, which gives us the management of the various packages used within our code. And this is a great service since packages may contain security vulnerabilities which then have a cascading effect on the security of our application.
For GCP development, there’s a special emphasis
on software development running on serverless platforms with Cloud Code being a collection of GCP plugins for IDEs that our developers use to write software, while the Cloud Build service supports the build, test, and deploy phases of the DevSecOps lifecycle. And last, Cloud Deploy, which is a continuous delivery service like AWS CodePipeline that automates the deployment of container images.

Join my Linkedin