Integrating Security with DevOps on Oracle Cloud (Part 2 of 2)
This post is part 2 in our blog series about how we integrate security with a generic DevOps-based application development process. In part 1, we defined DevOps methodology and practices, focusing on how to integrate continuous security into the larger DevOps process to support continuous application development and operation.
In this post, we cover some of the fundamental infrastructure components, such as cloud firewall services, identity management services, and continuous patching without downtime.
Network and Application Security Services
When you develop an application, or add or remove features, it’s essential to ensure that only required TCP ports are open. Opening ports that aren’t required can lead to exploits and compromises caused by vulnerabilities in the OS or supporting applications. The following figure shows the danger of keeping TCP ports open and accessible to nontrusted networks.
Diagram courtesy of https://geekflare.com/port-scanner-server/
In the previous post, we talked about how to integrate continuous security testing in the CI/CD pipeline. Generally, you could use an NMAP-based scanning tool for your internet-facing applications.
Most of the time, you need to keep some of these less secure ports—such as 123 for NTP, 69 for TFTP, or 137 for NetBIOS—open for supporting services and the application to work correctly. But you should ensure that these ports aren’t exposed to nontrusted networks by using firewall services.
Use Firewalls to Restrict Access
In Oracle Cloud Infrastructure, firewall services aren’t treated as a separate security control. Instead, they are fundamental components that can be manipulated through Infrastructure as Code (IaC). When you are developing application features, you should programmatically update or modify these firewall parameters. Oracle Cloud Infrastructure firewall services provide port filtering at the virtual cloud network (VCN) subnet level (security lists) and microsegmentation within a subnet at the VNIC level (network security groups). These services have well-defined APIs and SDK support.
All the major security and firewall vendors have products certified on Oracle Cloud Infrastructure. Some of our major security partners in the firewall technology area are CheckPoint, Cisco, Palo Alto, Fortinet, A10, and Aviatrix. They all provide a solid set of APIs and SDKs to programmatically configure their products on Oracle Cloud Infrastructure as virtual or bare metal appliances.
Protect Applications Listening on Open Ports
After closing down access to certain TCP ports, the next big security task is to protect the application listening on required open ports. For this kind of application security, a web application firewall (WAF) is typically used. Oracle Cloud Infrastructure WAF can be enabled with the Oracle Cloud Infrastructure Load Balancing service and configured using APIs and SDKs as part of IaC. We’ve also introduced next-generation runtime application self-protection (RASP) products through partners such as Imperva and Run Safe Securities. Using Terraform and Ansible, we can automate the instantiation and installation of these products as part of the application security configuration during application development cycles.
We've also programmatically integrated other Oracle Security products, such as Cloud Access Security Broker and Identity Cloud Services, to continuously monitor, protect, and authenticate application code and cloud resources a part of the DevOps processes and phases.
Patch Operating Systems
The next big task is to protect and continuously patch the OSs of the underlying hosts on which the applications or containers run. Oracle Autonomous Linux, along with the upcoming OS Management Service, addresses this continuous OS patching requirement. This service will use Oracle Ksplice to maintain and manage patches without restarting the instances. Ksplice is preinstalled in all Oracle Linux instances, and it’s available for Ubuntu Linux. For CentOS and Red Hat Linux, it can be easily installed automatically through an init script. The command and output look as follows:
<img alt="" src="https://blogs.oracle.com/content/published/api/v1.1/assets/CONTAF94B89BE9984AAEBC29E725CD04EF35/native?cb=_cache_9713&channelToken=f7814d202b7d468686f50574164024ec" style="width: 450px; height: 579px;">
Ksplice tracks of all the patches every time a library is modified, and it keeps the patch level updated. For more information about Ksplice, see this blog post.
Continuous Security with Automated Test and Deployment Pipeline
All the preceding security tasks can be integrated with the DevOps CI/CD pipeline tasks for continuous automated deployment.
The Oracle Cloud Infrastructure services and partner products mentioned in this post are integral components of the continuous security process (see the “Pillars of Continuous Security” section in part 1 of this series):
- The Oracle Cloud Infrastructure firewall and WAF services, and partners’ RASP products, can be integrated with Jenkins to provide test-driven security.
- With external penetration and exploit testing tools, remediation actions can be coded and automated as part of the automated response process.
- Oracle Cloud Access Security Broker provides an exhaustive list of cloud security controls and risk assessment services based on automated machine learning, and is part of the continuous security risk assessment process.
Resources and Acknowledgments
For more information, see the following resources:
I’d like to extend a sincere thanks to Johnnie Konstantas for technical review.