DevSecOps is not a linear progression from A to B. For cloud developers and architects—who bear responsibility for the development, maintenance, and security of critical enterprise systems—working in parallel on different pieces of infrastructure and software updates poses many challenges, not the least of which is version control.
To meet this challenge, DevSecOps teams often take a continuous delivery (CD) approach, which uses automation to prepare code for production. CD enables developers to scale cloud updates while minimizing bugs and deployment issues, improving agility and reducing risk at release time. Similarly, infrastructure as code (IaC) uses automation to build and configure environments, supporting speedy deployment by promoting consistency and accountability through source control.
So, how can DevSecOps teams combine these two key approaches, CD and IaC? The answer is simple: by tapping into the power of cloud.
Approaching the Challenge
By taking a CD approach, DevSecOps teams make code optimizations that deploy on a schedule. Though these code changes may be small, they have the potential to create larger problems if not properly managed. Consistency and accountability in the cloud environment are key to avoiding these problems and achieving scalability.
Typically, DevSecOps teams deploy multiple applications and infrastructure tools, each with its own server, increasing security and maintenance operations. A mature team with full coverage and experience may not find this daunting, but smaller teams may not have the resources or bandwidth to add tools that require their own infrastructure.
In deploying these individual tools and servers, DevSecOps teams often make an initial effort to employ IaC by using AWS services CloudFormation and S3. CloudFormation allows teams to compile third-party resources, while S3 creates a storage repository for source control.
This approach may prove successful at first, but the manual nature of these steps—uploading the latest version of the code, navigating to CloudFormation, pasting the S3 URL, and so on—quickly proves too cumbersome. Ultimately, teams will make manual changes in the environment, such as security group rules or Route53 records, resulting in configuration drift that depreciates the CloudFormation template—threatening the consistency and accountability they are striving to achieve. At this point, team members may begin to curse the cloud, not realizing that cloud is the very solution to this problem.
The Power of Cloud
Smaller teams with limited resources may balk at the perceived overhead of adopting a DevSecOps approach, but there are several ways in which organizations can meet this challenge. By working with a managed service provider, enterprises can take advantage of the scalability and ease of use that come with the cloud, while eliminating the need for additional employees to build infrastructure around new tools. AWS has created several clever services that leverage cloud capabilities to facilitate a DevSecOps approach without skyrocketing costs.
As mentioned above, CloudFormation is a great place to start, but it is not the end-all be-all for scalability and automation. Services like CodeCommit and CodePipeline work together to resolve configuration drift between IaC and manual changes, greatly improving source control.
CodeCommit is a fully managed service that securely stores code in repositories that support collaboration, enabling users to review and comment on each other’s code changes, as well as send notifications, before merging. CodeCommit supports Git commands, as well as its own AWS CLI commands and APIs. CodePipeline is a CD service that allows users to automate the steps that release code from CodeCommit to CloudFormation, as demonstrated in the below graphic:
Through the use of these services, the only manual intervention is the engineer pushing changes to the CodeCommit repository. CodePipeline receives this push as a new release and automatically deploys changes as a new CloudFormation stack or a stack update. As a result, engineers can update the same template after an approved change request without clicking through the various CloudFormation menus needed to create a stack update. CodePipeline also enables users to add various steps including a manual approval action to prevent changes from moving through a pipeline until an approver reviews the change.
Through these cloud services, small DevSecOps teams can use automation to implement a CD process to manage IaC without standing up costly new infrastructure. By embracing these principles and methods, developers and engineers can improve the speed, scalability, and consistency of any environment.