DevSecOps
Monitoring
Cloud trail, cloud watch | operational insights, application insights | cloud monitoring, cloud logging
Big Data
Dynamo DB, Redshift | Windows Azure Table, HDInsight | Cloud Datastore, Big Query
Compute Engine
EC2, VM, Compute Engine
Containers
ECS, Azure Container Service, Container Engine
IAM
IAM, KMS | Azure AD, Key Vault | Cloud IAM, Cloud KMS
ITIL
IT Infrastructure LIbrary - well-defined, prescriptive control/best practice framework for managing IT service delivery and operations
Serverless
Lambda, azure functions, cloud functions
Jenkins: Acceptance
Launch the container, run acceptance tests on the running container, shut down the target container, show the test results, upon approval to deploy, tag the container as "prod"
Puppet
Pull, declarative - defined declaratively using a custom ruby dsl (domain specific language) in manifests organized into modules, more oriented towards sys admins; config changes made from one or more centralized "puppet master" serves to remote agents
Chef
Pull, imperative - based on ruby, more oriented towards developers than sys admins, configuration is defined programmatically in Ruby with a simple DSL (recipes organized into cookbooks), following an imperative approach
Ansible
Push (agentless), declarative, written in python and works as a thin wrapper to execute commands over SSH, any node that has the correct list of servers can be used to push out changes over SSH to the rest of the network, config scripts defined in "playbooks" using YAML, support for network devices, does not need agents installed on each machine (just needs python), does not need a master (can be run from any admin system)
Database
RDS, Azure SQL Db, Cloud SQL
Blue/Green Deployment
Run two different environments in production. Blue is active. Changes are rolled out to the green environment. once the changes are deployed and the green environment is running and warmed up, load balancing is used to reroute traffic from the blue to the green environment done incrementally
Storage
S3, Azure Storage, Cloud Storage
Puppet SIMP
Systems Integrity Management Platform - a set of open source puppet modules to enforce security compliance with security content automation program (SCAP) profiles for RHEL, Centos 6 and 7 platforms
Networking
VPC, VNET, Subnet
CD: Pre-Commit
activities before code is checked in to version control, work done before a change is checked in to the code release branch/mainline - unit tests, lint checks (IDE, commit hooks), and code reviews or pair programming
apply config changes: pull
agents on each managed node periodically contact a central server for updates and report on variances or automatically apply changes
Continuous Delivery
an efficient, fast, and reliable way for engineering teams to make changes and a fast, efficient, reliable path to getting these changes into production. `
OSQuery
an open-source tool to ask questions about Linux, OSX, and Windows systems using an SQL interface, returned in a table form; need agents deployed on systems - need a fleet manager to run across multiple nodes; can be plugged into enterprise logging and altering frameworks
Jenkins
automated CI Tool
Acceptance
automated acceptance and functional testing with CD, take the build artifacts created in commit steps, stand up/configure test env., rehearse deployment and rollback steps, run acceptance tests, and optionally perform manual tests
commit
automated build and CI steps, steps triggered by check in. automated build of code and checks done in continuous integration - fast static analysis, storeing build candidates in artifact repos
AWS CodeDeploy and other CD tools
automated deployment pipeline
Inspector
automated security assessment service to check for vulnerabilities and deviations from best practice. Includes hundreds of rules mapped to common security compliance standards and common vulnerabilities
IAST (interactive app security testing)
automatic runtime security checking in CI/CD - passively watch code as it is executed and look for potential security vulnerabilities; instrument the runtime env. such as the Java JVM or the .NET CLR to passively track security vulnerabilities that could be exploited at runtime
DAST
automatically crawl and fuzz an app, injecting common security attacks and assessing the results.
change lead time or cycle time
avg time it takes to get a change or fix into production, which is key metric for devops teams to optimize for. includes change cycle time, development change lead time, and deployment lead time
staging area
between the working tree and the repo, files can be staged to mark them as prepared for commit
agile
break down organizational and communications barriers between dev and the business/customer
devops
break down the barriers between dev and ops
devsecops
break down the barriers with security and compliance
Continuous Deployment
changes are immediately pushed to production after they pass
Apply Config Changes: Push
changes are pushed out from a central server or command exectuor
canary releasing
changes are pushed to one server and carefully monitored to ensure that the update was done correctly, and everything is running as expected Then the changes is pushed to two servers, checked, and then ten servers, checked, then half, and then all of the servers
Deployment
cloud formation, azure resource manager, deployment manager
dev tools
cloud pipeline, code build, code deploy | visual studio team services
continuous delivery
code is always ready to be deployed, but it requires operations to pull changes and deploy them
CAMS (CALMS)
common lens for understanding DevOps and for driving DevOps change - Culture, Automation, Lean, Measurement, Sharing
Docker engine/daemon
containerd: manages complete container life cycle; runC:OCI-compoliant execution env. for a container
operations
continuous monitoring, testing, auditing, and compliance checks
IaC config management tools
define config steps (imperative) or config state (declarative), code and templates for common configs, provide centralized mgmt and reporting of changes across the network, auditing and logging of all actions,
Approach Model for config changes: declarative/intentional
describes the end state that you want, not the steps to achieve it (What, not how)
approach model for config changes: imperative/procedures
describes the steps to set up the configuration that you want (how, not what), much more flexible
Continuous Integration
developers make changes to code or configuration in small, incremental steps; they check these changes into the code mainline frequently (at least once per day); when new code is checked a background process automatically picks up the change , builds the code, and runs through a fast set of automated checks and tests to make sure the code will not break the build; failure in CI should stop developers from checking out code or checking in further changes
git clone
download a project repo from a remote location; check out the most recent commit of the default branch; trakc the remote location as the "origin" remote
Phoenix Test Servers
ensures that test environment is always in a known and consistent state - easier to reproduce/debug problems; after testing, tear down and clean up the test runtime reducing overall attack surface
ITIL
formerly an acronym for Information Technology Infrastructure Library, is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.
Configuration management (CM)
governance and systems engineering process for ensuring consistency among physical and logical assets in an operational environment. The configuration management process seeks to identify and track individual configuration items (CIs), documenting functional capabilities, and interdependencies.
window of exposure
how long vulnerabilities stay open
change failure rate
how often do changes introduce failure?
A/B testing
implement different options and see which is more popular or more effective (minimize waste). determine the result/benefit of a change and determine if a goal is being achieved.
Dark Launched
implemented in small steps, and then released incrementally to a subset of the user base and tested in production. Protection changes behind "feature switches"
RASP (Runtime app security/self-protection)
instrument the runtime env. such as the Java JVM or the .NET CLR to potentially block security vulnerabilities that could be exploited at runtime
git pull
integrate changes from a remote repo to a local repo
Conceal
java encryption APIs for mobile
Jenkins: union, rehearsal, & delivered
launch container as "prod", moving existing aside if needed, run smoke tests, shut down previous instance after smoke test pass or roll back if fail
AWS AMI
machine image that can be hardened/reviewed to different standards
AWS Shield
managed DDOS
Cloud HSM
managed access to dedicated Hardware Security Module appliances
IAM
managing users and permissions
MTTD (Mean time to detect)
mean time to detect a failure - identify problems quickly
Change frequency
measure of the efficiency and the capability of the org to make changes - how often changes are deployed to production
MTTR (Mean time to recovery)
measures the reliability/quality of service and availability
version control
modern distributed version control systems (git, mercurial) provide many benefits for developers and operations working in parallel - full visibility into code changes, full repo history, simplified branching and merging, built-in support for code reviews
CloudWatch
monitoring service on AWS resources use, for performance and operational health
AWS WAF
on-demand application firewall
snowflakes
one-off congiruations and inconsistencies tha tneed to be identified, understood and resolved
InSpec
open-source ruby dsl for writing declarative compliance checks on infrastructure configuration
git add
place a snapshot of a file from the working tree into the staging area
container
portable runtime env. instance; images - read-only description of container state. multiple images can be layered to build up a container; dockerfile - describes steps to build a container
osquery
programmatic SQL access to linux/osx/windows system configuration information
CFEngine
pull, declarative, oldest programmable config management tool, written in C and has smallest runtime footprint, configuration defined through declarative "promises"
salt/saltstack
push or pull, either imperative or declarative or both, built on a fast, efficient, and scalable parallel remote command execution framework - instructions are executed over encrypted ZeroMQ connections between one or more masters and the remote systems to be managed (called "minions"), can be used to execute ad hoc commands across many different remote systems, gather info (called "grains"), uses fast messaging (ZeroMQ) to collect configuration data (grains) or execute commands on remote systems (minions), developed in python - configuration is defined in YAML "Salt states"
chat and chatops
real-time chat systems are a foundation for sharing information in real-time within ops and with developers and other teams, esp. in distributed environments.
git commit
record all of the staged changes in the repo, including a message for the history/log
Amazon KMS
secure key management service
git push
send changes from the local repo to a remote repo
CloudTrail
service that records API calls for security analysis, change tracking, and compliance auditing
working tree
set of files (a branch at a specific version) ready to be worked on - the checked-out files
Distributed Version Control System (DVCS)
shift version control from a client-server approach to a peer-to-peer one. rather than each client checking out a working copy from the server, in a DVCS env. each client clones the entire repo to their local system.
MVP
simplest and cheapest design possible
Infrastructure as Code
software-defined configuration changes to infrastructure, using tools like Puppet, Chef, CFEngine, Saltstack, or Ansible
Infer
static analysis for C/C++/Objective-C, Java
flow
static analysis for JS
Pyre
static analysis for Python
production
steps before, during, and after code is deployed for production, run pre and post deployment smoke tests to verify config, leverage canary testing and dark launching
repository
stgorage location for all of the project's data - history, files, versions, branches, config data, hooks, etc. Knowns as the "git" directory
registry
stores images; docker hub - the default public registry for images: community, private, etc.
docker client
talks to the engine through a REST API
AWS Cloud Formation
templates for creating and managing gold images, with "sbd" constraints
Packer
tool for creating machine/container images on different platforms from a common configuration - can use the same "golden image" to deploy in docker or VMWare and vagrant on a local system for dev, staging, and production
backlog managers
tracking work, and making it visible within the team and across teams is important to devops teams. by tagging changes with an issue ID when checking changes into the source repo, teams can trace change details all the way from request to delivery to production
Jenkins: Build
triggered by GitLab when code is pushed, validates PHP syntax of code, builds docker container for bricks app, publishes container to registry (artifact repo)
IaC
use high level languages and templates to provision systems, install and configure packages, and manage users, groups, storage, firewalls; immunible
Vagrant
used for rapidly configuring and spinning up VMs. Defined using a simple declarative scripting model
OpenSCAP
used to run regular compliance reports and checks - compliance scanner that can be run to check for a r ange of different policies (PCI DSS< STIG< USGCB, etc.)