DEVOPS BASICS
IT 351 Cloud Security and DevSecOps
Professor Josh Edgar
ABOUT THIS DECK
• This deck seeks to give a basic introduction into DevOps, as DevSecOps is merely a
security-based augmentation of DevOps methodologies that have been around for a
few more years.
• In addition to this deck, you should also read your Vehent textbook:
•
•
•
Preface (pages xiii – xv)
About This Book (pages xviii – xx)
Chapter 1: Securing DevOps (pages 1 – 17)
• Remember, this course is reading-intensive. Please take the time to ensure you are
fully comprehending all assigned readings. Contact me if you have any questions.
This material is for the exclusive use of Marymount University School of Business and Technology students and may not be reproduced without the express written consent of the author.
WHAT IS DEVOPS?
• Let’s start with the basics: DevOps, naturally, is the intersection of software
development (Dev) with IT operations (Ops).
• For far too long, these two components of software engineering and maintenance have
been mutually exclusive, leading to slower feature and bugfix releases, and clunky
deployments that defy today’s Agile methodologies.
• DevOps seeks to reduce how long it takes for system or application changes
to be deployed into production by fostering better collaboration and
automating testing, deployments and routine patching.
• As is also the case with cloud computing, implementing these practices results in lower
costs to an enterprise, and as a result, usually better service to its end users/consumers.
This material is for the exclusive use of Marymount University School of Business and Technology students and may not be reproduced without the express written consent of the author.
DEVOPS TOOLS
• Following DevOps practices, or assembling a DevOps “pipeline” to automate
the execution of those practices, usually involves a variety of different tools.
You can mix and match any number of tools to fulfill different stages of your
pipeline:
• Source Code Management: GitHub, GitLab, SVN, Bitbucket
• Continuous Integration: Jenkins, Travis, CircleCI
• Continuous Testing: Selenium, TestNG, JUnit
• Configuration Management: Chef, Puppet, Ansible, Terraform
• Monitoring: Splunk, New Relic, Datadog
• Containerization (optional): Docker, Kubernetes
This material is for the exclusive use of Marymount University School of Business and Technology students and may not be reproduced without the express written consent of the author.
SOURCE CODE MANAGEMENT
• Managing your code in a central repository is critical when working on development
teams, large and small. Tools such as Git allow for different team members to work
on different feature releases or bugfixes in parallel, without accessing the same files
in real-time.
•
•
•
•
i.e., Coding in Git is not similar to group work on a Google Doc, as everyone accesses that in
real time.
In Git, to work on a separate feature, you would create a ”branch” from a “master”
repository, “clone” that branch’s code to your local machine, work on it, “commit” and
“publish” your changes back to the Git server, and then “merge” the branch back into the
master.
If you and a teammate both edited the same line of code, Git will flag this during the merge
process and stop until the conflict has been manually resolved.
For a visual explanation, check out the flow graphic on this page:
https://nvie.com/posts/a-successful-git-branching-model/
This material is for the exclusive use of Marymount University School of Business and Technology students and may not be reproduced without the express written consent of the author.
CONFIGURATION MANAGEMENT
• Configuration management tools make it easy to use code (that you might have in Git)
•
•
•
to automate the deployment (or destruction) of cloud infrastructure resources. This is a
practice called Infrastructure as Code, or IaC.
Tools like Terraform are similar to AWS CloudFormation, except they are cloud-agnostic
and can automatically deploy resources in AWS, Azure, GCP, Oracle Cloud and more.
Simple “HCL” code allows you to deploy VPCs, EC2s, RDS instances, configure security
and auto scaling groups, and more.
Tools like Ansible can then further automate the customization of a Linux system once
the OS is installed, using YAML “playbooks” to automatically install packages, run
updates, and modify system configurations.
You can store all of these IaC files in your Git repositories so that your development
teams can all work to define the cloud architecture necessary to support your
application.
This material is for the exclusive use of Marymount University School of Business and Technology students and may not be reproduced without the express written consent of the author.
CI/CD
•
One of the most critical components of a DevOps pipeline is CI/CD, the combined practices of
continuous integration and continuous delivery.
•
Continuous integration is the practice of publishing your individual code changes constantly –
usually multiple times per day – to ensure that a feature branch or master represents the latest
changes. This ensures that any other branches that are created to work on different features or
bugfixes will have the latest changes from other team members, preventing the Git source
material from becoming too outdated or incompatible with other changes.
•
Continuous delivery (or sometimes, continuous deployment) is the practice of releasing changes
to software (or a cloud infrastructure) in short iterations, ensuring the system always remains
reliable, and not bulking numerous fixes or features into releases that take months to deliver to
the end users. Said differently, the faster a stable improvement can get into the hands of the
users, the better.
• The key difference between continuous “delivery” and “deployment” is whether or not the deployment is
done manually or automatically, respectively.
This material is for the exclusive use of Marymount University School of Business and Technology students and may not be reproduced without the express written consent of the author.
ADDING “SEC”
• Now that you’ve received the crash course into what DevOps is and what the
pipelines typically contain, we can jump into the real purpose of this course:
DevSecOps.
• DevSecOps adds security into the mix, automating risk management, security
patching, log management and threat detection into your existing DevOps
pipelines. It’s a lot to manage, but it greatly reduces risk to the enterprise, and
as with everything else we’ve discussed – it saves businesses money!
• Continue reading Vehent Chapter 1 to learn about how security can be
introduced to a DevOps pipeline.
This material is for the exclusive use of Marymount University School of Business and Technology students and may not be reproduced without the express written consent of the author.
Purchase answer to see full
attachment