Here is the small presentation on DevOps to DevSecOps Journey..
- What is DevOps and their best practices.
- Practical Scenario of DevOps practices.
- DevOps transformation Journey.
- Transition to DevSecOps and why we need it.
- Enterprise CI/CD Pipeline.
5. How to follow DevOps culture?
Devops is a Culture which needs to be Practiced in order to do achieve organizational
goals in a better and quicker way.
In Technical Aspect …
“Devops is a set of practices and cultural changes – supported by automation tools and
Lean Processes – that creates an automated software delivery pipeline, enabling
organizations to deliver better – quality services and applications faster”.
9. Infrastructure as code (IaC)
What is meant by IAC ?
It is a method to provision and
manage IT infrastructure through the
use of source code, rather than
through standard operating
procedures and manual processes.
13. It is a state of being ready and able to
release any version at any time on any
platform.
This does not mean the code or project
is 100% complete, but the feature sets
that are available are vetted, tested,
debugged and ready to deploy,
although you may not deploy at that
moment.
Continuous Delivery is a small build
cycle with short sprints.
It is being able to continually deploy.
With Continuous Deployment, every
change that is made is automatically
deployed to production. This
approach works well in enterprise
environments where you plan to use
the user as the actual tester and it can
be quicker to release.
Continuous Delivery Continuous
Deployment
15. Containerization
Containerization is a
lightweight alternative to a
virtual machine that involves
encapsulating an application in
a container with its own
operating system and to run on
every environment from
physical computers to virtual
machines, from bare-metal,
Clouds, etc
16. Orchestration
Container orchestration is the automatic
process of managing or scheduling the work of
individual containers for applications based
on microservice within multiple clusters.
1.Configuring and scheduling of containers.
2.Provisioning and deployments of containers.
3.Availability of containers.
4.Scaling of containers.
5.Allocation of resources between containers.
6.Load balancing, traffic routing and service
discovery of containers.
7.Health monitoring of containers.
8.Securing the interactions between
containers.
17. Netflix - DevOps
Transformation
Netflix : From moving DVD sales
to world’s leading internet
television company.
With more than 100 million
members worldwide enjoying
125 million hours of TV shows
and movies each day.
Netflix operates a cloud-based infrastructure comprised of hundreds of
microservices.
Developers can automatically build pieces of code into deployable web images
without relying on IT operations.
Using more than 100000 instances on AWS.
Centralizing Flow Logs Using Amazon Kinesis Streams.
Netflix Realizes Multi-Region Resiliency Using Amazon Route 53.
Netflix Tunes Amazon EC2 Instances for Performance.
Journey to the cloud at Netflix began in August of 2008.
Experienced a major database corruption.
Realized that they had to move to relational databases
in their datacenter, towards highly reliable, horizontally-
scalable, distributed systems in the cloud.
18. Transition to DevSecOps
DevSecOps was founded by Security
Practitioners dedicated to the
science of how to incorporate
Security within Agile and DevOps
practices.
DevSecOps is the practice of
integrating automated security tasks
within DevOps processes. It is about
going fast and safe.
DevSecOps is about creating a
#SecurityFirst culture, where
security is a part of everyone’s job
19. Why DevSecOps ?
It’s tough to get important
security fixes, controls, and
coding standards into a project
that's "done and dusted" as far as
the development team is
concerned. So what happens? The
product goes out the door with
known, and unknown, security
vulnerabilities with possibly some
promise to "fix them in the next
release." This is what you get
when you put security after
development — "Dev" then "Sec"
then "Ops."
20. “Sec” “Dev” “Ops”
Security controls, guidelines,
coding standards, and policies
must be integrated completely
into the software development
process. This is done by making
security part of the process and
pipeline from the beginning —
"Sec" then "Dev" then "Ops."
With automation, you can shift-
left your approach to security for
a SecDevOps strategy
21. Security as Code (SaC)
Security as Code (SaC) is
managing the security through
code.
Privilege management
Define Policies
Internal Build and
Deployment Security
Test policies regularly
22. Exploring DevSecOps Workflow
Developers create the code and tests, which are managed by a version control system like Git.
Changes are committed to the Git.
Jenkins pulls the code from the repo. and builds and runs unit tests, as well as static code analysis to identify code
quality bugs and security defects.
An IaC tool, like Chef, provisions an environment, deploys the application, and applies security configurations to the
system.
Jenkins runs a test automation suite against the newly deployed application, including UI, back-end, integration, API,
and security tests.
If the application successfully passes all tests, the application is deployed to production using the same
infrastructure-as-code tool used in the previous environments.
The production environment is continuously monitored by tools like New Relic and Splunk to detect active cyber
security threats.