Creation of a Fully-Automated DevSecOps CICD Pipeline

Security is generally seen as an opposite to agile process. Whenever a security issue crops up, application deployment gets held up. DevSecOps does not, however, view security as a hindrance to fast deployment. Rather, it considers security teams as a compliment to the agile process. The purpose of DevSecOps is to include security early in the CI/CD pipeline so that it can be automated, thereby making bug discovery and vulnerability detection quicker.

In today’s world, security of company data, as well as data of its customers is of utmost importance. Any compromise in data could lead to severe brand reputation damage. DevSecOps comes as the saving brace. In the recent past, a company approached Loves Cloud with similar concerns for data security. The company is one of the largest business conglomerates in India. With business verticals as varied as telecom, retail, and petrochemicals etc, they could not afford any vulnerability in their software and systems. They were interested in securing their software deployment process and making it smoother and faster.

The Challenge That Our Client Had Before Them

Our client’s digital transformation journey was already on track. With open source tools like Docker, Kubernetes, or Chef, the company had done away with the old method of software deployment. They were successful in imbibing the agile delivery method and DevOps culture and were benefitting from the advantages of cloud computing. However, speed and smoothness are not the only things that a business conglomerate wants. There comes the aspect of security. With the intensity with which the malicious factors are attacking the systems of corporations worldwide, it is now very important to combine the security aspect with DevOps.

The wise developers of the client company already had a shift-left approach to testing where software or build testing is done earlier in the delivery pipeline to reduce time and trouble. However, it was not a wholesome way of approaching the security aspects and they wanted to create a fully automated DevSecOps CI/CD pipeline. Loves Cloud took the job with the awareness that security is of utmost importance to the success of a company.

The Preparation: Goal Setting

The client AVP met with us and after a thorough discussion, we prepared a list of to-do things that would serve the purpose of DevSecOps deployment. Our list of goals looked something like this:

  • To integrate Jira with the tools used in the client’s entire CI/CD pipeline: This would help the company deal with tasks, upgrades, and bug-fixes in an organized manner.
  • To remove manual build and deploy process: The idea of DevOps is to automate everything. DevSecOps is intended to automate even the security aspects of the deployment process.
  • To compliment the DevOps culture with automated security assessment tests implemented in the pipeline. The forward thinking developers of the client company already made our task easier in this regard as they had started taking the shift-left approach.
  • To make sure that the overall development and deployment process was in-line with the DevOps culture combined with security and stability.

The Work Done

Loves Cloud implemented an end-to-end secure CI/CD pipeline that helped the client avoid delay, frustration, security issues and steep costs. As opposed to the earlier method of executing security checks at the end of the software development process, we embedded security checks in the beginning of the software development process. Here are the things that we did to achieve this feat:

  • We implemented Jenkins for continuous integration and continuous deployment. Jenkins has many plug-ins and so, it can be customized for DevSecOps easily.
  • As already said, we decided to use Jira for storing information like bugs fixes and security issues, etc in an organized manner. These information should be available to both developers and the people responsible for security checks. So, we integrated Jira into the central repository – Github.
  • We further integrated Jira with Jenkins. That way, when a bug or any issue is detected in the Jenkins pipeline, the log report is filed by Jenkins in Jira. This would make bug fixes and security compliances easier for the developers.
  • We integrated Jira with SonarQube to handle vulnerability and bug reports detected by SonarQube in an organized manner.
  • We decided to make Jenkins use Maven for continuous integration. Jenkins, as a build tool, might not be too useful. Maven does a great job in this regard. Yet we could not avoid Jenkins because of its customizability. Thus, we integrated Jenkins and Maven.
  • We integrated Jenkins with SonarQube to run tests on codes to detect any vulnerability or policy violation early in the pipeline.
  • To help Maven for build tests, we integrated Jenkins with Nexus Repository Manager in order for the software artifacts to be stored and used whenever needed.
  • To further help Maven in its build jobs, we integrated Jenkins with Docker. With this, the builds are containerized and then tested by Maven.
  • We integrated Jenkins with Clair to make sure that the containers are secure and stable.
  • We integrated Jenkins with Azure for added benefits.
  • We implemented notification engine to notify developers about any issues with the software builds. The notification could be sent to email and slack.
  • To achieve success in the task stated above, we integrated Jenkins with email and slack.
  • We used groovy script in Jenkins which gave us flexibility to have Jenkins as a Code/Pipeline and Code (JaaC/PaaC) as well.

The Tools We Used

  • Azure Public Cloud Platform.
  • Virtual machines that hosted Jenkins, SonarQube and Nexus Repository Manager.
  • Azure Kubernetes Service for creating Kubernetes cluster to manage the containers.
  • GitHub as the source code repository.
  • Maven for build tests by creating Java applications.
  • Junit for unit test cases.
  • Jira for organizing information and workflow.
  • Jenkins for CI/CD pipeline.
  • SonarQube for static code analysis.
  • Docker to make application containers.
  • Sonartype Nexus Repository Manager for storing docker images to help maven.
  • Clair to make sure Docker images are not vulnerable.
  • Groovy script as scripting language.

The End Results

Was the client happy? Yes. With security measures now put in the early phase of development, the company saw exponential reduction in deployment time. Since commit to deployment time was reduced, multiple stable deployments were achieved in a single day. No bad codes passed to the end of the cycle as failed codes were first corrected and then deployed. Jira made tasks easier. Github branch and pull request on GitHub could now be created from Jira. Code commits in GitHub and Jenkins build status can be viewed in Jira. SonarQube analysis report and Clair Docker image scanning reports as well can be viewed. To achieve the DevSecOps purpose testing was included in the CI workflow. Slack integration would send notification of successful or failed builds to everybody. This combination of CI and build notification improved developer’s productivity manifold.

At Loves Cloud, we are constantly leveraging the power of various open source software solutions to automate, optimize, and scale the workloads of our customers. To learn more about our services aimed at the digital transformation of your business, please visit https://www.loves.cloud/ or write to us at biz@loves.cloud.