DevSecOps

Monitoring

Cloud trail, cloud watch | operational insights, application insights | cloud monitoring, cloud logging

Big Data

Dynamo DB, Redshift | Windows Azure Table, HDInsight | Cloud Datastore, Big Query

Compute Engine

EC2, VM, Compute Engine

Containers

ECS, Azure Container Service, Container Engine

IAM

IAM, KMS | Azure AD, Key Vault | Cloud IAM, Cloud KMS

ITIL

IT Infrastructure LIbrary - well-defined, prescriptive control/best practice framework for managing IT service delivery and operations

Serverless

Lambda, azure functions, cloud functions

Jenkins: Acceptance

Launch the container, run acceptance tests on the running container, shut down the target container, show the test results, upon approval to deploy, tag the container as "prod"

Puppet

Pull, declarative - defined declaratively using a custom ruby dsl (domain specific language) in manifests organized into modules, more oriented towards sys admins; config changes made from one or more centralized "puppet master" serves to remote agents

Chef

Pull, imperative - based on ruby, more oriented towards developers than sys admins, configuration is defined programmatically in Ruby with a simple DSL (recipes organized into cookbooks), following an imperative approach

Ansible

Push (agentless), declarative, written in python and works as a thin wrapper to execute commands over SSH, any node that has the correct list of servers can be used to push out changes over SSH to the rest of the network, config scripts defined in "playbooks" using YAML, support for network devices, does not need agents installed on each machine (just needs python), does not need a master (can be run from any admin system)

Database

RDS, Azure SQL Db, Cloud SQL

Blue/Green Deployment

Run two different environments in production. Blue is active. Changes are rolled out to the green environment. once the changes are deployed and the green environment is running and warmed up, load balancing is used to reroute traffic from the blue to the green environment done incrementally

Storage

S3, Azure Storage, Cloud Storage

Puppet SIMP

Systems Integrity Management Platform - a set of open source puppet modules to enforce security compliance with security content automation program (SCAP) profiles for RHEL, Centos 6 and 7 platforms

Networking

VPC, VNET, Subnet

CD: Pre-Commit

activities before code is checked in to version control, work done before a change is checked in to the code release branch/mainline - unit tests, lint checks (IDE, commit hooks), and code reviews or pair programming

apply config changes: pull

agents on each managed node periodically contact a central server for updates and report on variances or automatically apply changes

Continuous Delivery

an efficient, fast, and reliable way for engineering teams to make changes and a fast, efficient, reliable path to getting these changes into production. `

OSQuery

an open-source tool to ask questions about Linux, OSX, and Windows systems using an SQL interface, returned in a table form; need agents deployed on systems - need a fleet manager to run across multiple nodes; can be plugged into enterprise logging and altering frameworks

Jenkins

automated CI Tool

Acceptance

automated acceptance and functional testing with CD, take the build artifacts created in commit steps, stand up/configure test env., rehearse deployment and rollback steps, run acceptance tests, and optionally perform manual tests

commit

automated build and CI steps, steps triggered by check in. automated build of code and checks done in continuous integration - fast static analysis, storeing build candidates in artifact repos

AWS CodeDeploy and other CD tools

automated deployment pipeline

Inspector

automated security assessment service to check for vulnerabilities and deviations from best practice. Includes hundreds of rules mapped to common security compliance standards and common vulnerabilities

IAST (interactive app security testing)

automatic runtime security checking in CI/CD - passively watch code as it is executed and look for potential security vulnerabilities; instrument the runtime env. such as the Java JVM or the .NET CLR to passively track security vulnerabilities that could be exploited at runtime

DAST

automatically crawl and fuzz an app, injecting common security attacks and assessing the results.

change lead time or cycle time

avg time it takes to get a change or fix into production, which is key metric for devops teams to optimize for. includes change cycle time, development change lead time, and deployment lead time

staging area

between the working tree and the repo, files can be staged to mark them as prepared for commit

agile

break down organizational and communications barriers between dev and the business/customer

devops

break down the barriers between dev and ops

devsecops

break down the barriers with security and compliance

Continuous Deployment

changes are immediately pushed to production after they pass

Apply Config Changes: Push

changes are pushed out from a central server or command exectuor

canary releasing

changes are pushed to one server and carefully monitored to ensure that the update was done correctly, and everything is running as expected Then the changes is pushed to two servers, checked, and then ten servers, checked, then half, and then all of the servers

Deployment

cloud formation, azure resource manager, deployment manager

dev tools

cloud pipeline, code build, code deploy | visual studio team services

continuous delivery

code is always ready to be deployed, but it requires operations to pull changes and deploy them

CAMS (CALMS)

common lens for understanding DevOps and for driving DevOps change - Culture, Automation, Lean, Measurement, Sharing

Docker engine/daemon

containerd: manages complete container life cycle; runC:OCI-compoliant execution env. for a container

operations

continuous monitoring, testing, auditing, and compliance checks

IaC config management tools

define config steps (imperative) or config state (declarative), code and templates for common configs, provide centralized mgmt and reporting of changes across the network, auditing and logging of all actions,

Approach Model for config changes: declarative/intentional

describes the end state that you want, not the steps to achieve it (What, not how)

approach model for config changes: imperative/procedures

describes the steps to set up the configuration that you want (how, not what), much more flexible

Continuous Integration

developers make changes to code or configuration in small, incremental steps; they check these changes into the code mainline frequently (at least once per day); when new code is checked a background process automatically picks up the change , builds the code, and runs through a fast set of automated checks and tests to make sure the code will not break the build; failure in CI should stop developers from checking out code or checking in further changes

git clone

download a project repo from a remote location; check out the most recent commit of the default branch; trakc the remote location as the "origin" remote

Phoenix Test Servers

ensures that test environment is always in a known and consistent state - easier to reproduce/debug problems; after testing, tear down and clean up the test runtime reducing overall attack surface

ITIL

formerly an acronym for Information Technology Infrastructure Library, is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.

Configuration management (CM)

governance and systems engineering process for ensuring consistency among physical and logical assets in an operational environment. The configuration management process seeks to identify and track individual configuration items (CIs), documenting functional capabilities, and interdependencies.

window of exposure

how long vulnerabilities stay open

change failure rate

how often do changes introduce failure?

A/B testing

implement different options and see which is more popular or more effective (minimize waste). determine the result/benefit of a change and determine if a goal is being achieved.

Dark Launched

implemented in small steps, and then released incrementally to a subset of the user base and tested in production. Protection changes behind "feature switches"

RASP (Runtime app security/self-protection)

instrument the runtime env. such as the Java JVM or the .NET CLR to potentially block security vulnerabilities that could be exploited at runtime

git pull

integrate changes from a remote repo to a local repo

Conceal

java encryption APIs for mobile

Jenkins: union, rehearsal, & delivered

launch container as "prod", moving existing aside if needed, run smoke tests, shut down previous instance after smoke test pass or roll back if fail

AWS AMI

machine image that can be hardened/reviewed to different standards

AWS Shield

managed DDOS

Cloud HSM

managed access to dedicated Hardware Security Module appliances

IAM

managing users and permissions

MTTD (Mean time to detect)

mean time to detect a failure - identify problems quickly

Change frequency

measure of the efficiency and the capability of the org to make changes - how often changes are deployed to production

MTTR (Mean time to recovery)

measures the reliability/quality of service and availability

version control

modern distributed version control systems (git, mercurial) provide many benefits for developers and operations working in parallel - full visibility into code changes, full repo history, simplified branching and merging, built-in support for code reviews

CloudWatch

monitoring service on AWS resources use, for performance and operational health

AWS WAF

on-demand application firewall

snowflakes

one-off congiruations and inconsistencies tha tneed to be identified, understood and resolved

InSpec

open-source ruby dsl for writing declarative compliance checks on infrastructure configuration

git add

place a snapshot of a file from the working tree into the staging area

container

portable runtime env. instance; images - read-only description of container state. multiple images can be layered to build up a container; dockerfile - describes steps to build a container

osquery

programmatic SQL access to linux/osx/windows system configuration information

CFEngine

pull, declarative, oldest programmable config management tool, written in C and has smallest runtime footprint, configuration defined through declarative "promises"

salt/saltstack

push or pull, either imperative or declarative or both, built on a fast, efficient, and scalable parallel remote command execution framework - instructions are executed over encrypted ZeroMQ connections between one or more masters and the remote systems to be managed (called "minions"), can be used to execute ad hoc commands across many different remote systems, gather info (called "grains"), uses fast messaging (ZeroMQ) to collect configuration data (grains) or execute commands on remote systems (minions), developed in python - configuration is defined in YAML "Salt states"

chat and chatops

real-time chat systems are a foundation for sharing information in real-time within ops and with developers and other teams, esp. in distributed environments.

git commit

record all of the staged changes in the repo, including a message for the history/log

Amazon KMS

secure key management service

git push

send changes from the local repo to a remote repo

CloudTrail

service that records API calls for security analysis, change tracking, and compliance auditing

working tree

set of files (a branch at a specific version) ready to be worked on - the checked-out files

Distributed Version Control System (DVCS)

shift version control from a client-server approach to a peer-to-peer one. rather than each client checking out a working copy from the server, in a DVCS env. each client clones the entire repo to their local system.

MVP

simplest and cheapest design possible

Infrastructure as Code

software-defined configuration changes to infrastructure, using tools like Puppet, Chef, CFEngine, Saltstack, or Ansible

Infer

static analysis for C/C++/Objective-C, Java

flow

static analysis for JS

Pyre

static analysis for Python

production

steps before, during, and after code is deployed for production, run pre and post deployment smoke tests to verify config, leverage canary testing and dark launching

repository

stgorage location for all of the project's data - history, files, versions, branches, config data, hooks, etc. Knowns as the "git" directory

registry

stores images; docker hub - the default public registry for images: community, private, etc.

docker client

talks to the engine through a REST API

AWS Cloud Formation

templates for creating and managing gold images, with "sbd" constraints

Packer

tool for creating machine/container images on different platforms from a common configuration - can use the same "golden image" to deploy in docker or VMWare and vagrant on a local system for dev, staging, and production

backlog managers

tracking work, and making it visible within the team and across teams is important to devops teams. by tagging changes with an issue ID when checking changes into the source repo, teams can trace change details all the way from request to delivery to production

Jenkins: Build

triggered by GitLab when code is pushed, validates PHP syntax of code, builds docker container for bricks app, publishes container to registry (artifact repo)

IaC

use high level languages and templates to provision systems, install and configure packages, and manage users, groups, storage, firewalls; immunible

Vagrant

used for rapidly configuring and spinning up VMs. Defined using a simple declarative scripting model

OpenSCAP

used to run regular compliance reports and checks - compliance scanner that can be run to check for a r ange of different policies (PCI DSS< STIG< USGCB, etc.)