Integrating Security with DevOps on Oracle Cloud (Part 2 of 2)

 Sanjay Basu

This post is part 2 in our blog series about how we integrate security with a generic DevOps-based application development process. In part 1, we defined DevOps methodology and practices, focusing on how to integrate continuous security into the larger DevOps process to support continuous application development and operation.

In this post, we cover some of the fundamental infrastructure components, such as cloud firewall services, identity management services, and continuous patching without downtime.

Network and Application Security Services

When you develop an application, or add or remove features, it’s essential to ensure that only required TCP ports are open. Opening ports that aren’t required can lead to exploits and compromises caused by vulnerabilities in the OS or supporting applications. The following figure shows the danger of keeping TCP ports open and accessible to nontrusted networks.

Diagram courtesy of https://geekflare.com/port-scanner-server/

In the previous post, we talked about how to integrate continuous security testing in the CI/CD pipeline. Generally, you could use an NMAP-based scanning tool for your internet-facing applications.

Most of the time, you need to keep some of these less secure ports—such as 123 for NTP, 69 for TFTP, or 137 for NetBIOS—open for supporting services and the application to work correctly. But you should ensure that these ports aren’t exposed to nontrusted networks by using firewall services.

Use Firewalls to Restrict Access

In Oracle Cloud Infrastructure, firewall services aren’t treated as a separate security control. Instead, they are fundamental components that can be manipulated through Infrastructure as Code (IaC). When you are developing application features, you should programmatically update or modify these firewall parameters. Oracle Cloud Infrastructure firewall services provide port filtering at the virtual cloud network (VCN) subnet level (security lists) and microsegmentation within a subnet at the VNIC level (network security groups). These services have well-defined APIs and SDK support.

All the major security and firewall vendors have products certified on Oracle Cloud Infrastructure. Some of our major security partners in the firewall technology area are CheckPoint, Cisco, Palo Alto, Fortinet, A10, and Aviatrix. They all provide a solid set of APIs and SDKs to programmatically configure their products on Oracle Cloud Infrastructure as virtual or bare metal appliances.

Protect Applications Listening on Open Ports

After closing down access to certain TCP ports, the next big security task is to protect the application listening on required open ports. For this kind of application security, a web application firewall (WAF) is typically used. Oracle Cloud Infrastructure WAF can be enabled with the Oracle Cloud Infrastructure Load Balancing service and configured using APIs and SDKs as part of IaC. We’ve also introduced next-generation runtime application self-protection (RASP) products through partners such as Imperva and Run Safe Securities. Using Terraform and Ansible, we can automate the instantiation and installation of these products as part of the application security configuration during application development cycles.

We've also programmatically integrated other Oracle Security products, such as Cloud Access Security Broker and Identity Cloud Services, to continuously monitor, protect, and authenticate application code and cloud resources a part of the DevOps processes and phases.

Patch Operating Systems

The next big task is to protect and continuously patch the OSs of the underlying hosts on which the applications or containers run. Oracle Autonomous Linux, along with the upcoming OS Management Service, addresses this continuous OS patching requirement. This service will use Oracle Ksplice to maintain and manage patches without restarting the instances. Ksplice is preinstalled in all Oracle Linux instances, and it’s available for Ubuntu Linux. For CentOS and Red Hat Linux, it can be easily installed automatically through an init script. The command and output look as follows:

Copied to Clipboard
Error: Could not Copy
Copied to Clipboard
Error: Could not Copy
<img alt="" src="https://blogs.oracle.com/content/published/api/v1.1/assets/CONTAF94B89BE9984AAEBC29E725CD04EF35/native?cb=_cache_9713&channelToken=f7814d202b7d468686f50574164024ec" style="width: 450px; height: 579px;">

Ksplice tracks of all the patches every time a library is modified, and it keeps the patch level updated. For more information about Ksplice, see this blog post.

Continuous Security with Automated Test and Deployment Pipeline

All the preceding security tasks can be integrated with the DevOps CI/CD pipeline tasks for continuous automated deployment.

The Oracle Cloud Infrastructure services and partner products mentioned in this post are integral components of the continuous security process (see the “Pillars of Continuous Security” section in part 1 of this series):

  • The Oracle Cloud Infrastructure firewall and WAF services, and partners’ RASP products, can be integrated with Jenkins to provide test-driven security.
  • With external penetration and exploit testing tools, remediation actions can be coded and automated as part of the automated response process.
  • Oracle Cloud Access Security Broker provides an exhaustive list of cloud security controls and risk assessment services based on automated machine learning, and is part of the continuous security risk assessment process.

Resources and Acknowledgments

For more information, see the following resources:

I’d like to extend a sincere thanks to Johnnie Konstantas for technical review.

Comments

Post a Comment

Popular posts from this blog

OCI Object Storage: Copy Objects Across Tenancies Within a Region

Image
Note : My original blog was published in ORACLE CLOUD INFRASTRUCTURE blog site on April 15th, 2019. I have republished it here with permission. Official Disclaimer : The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official policy or position of Oracle Corporation. This post was developed jointly with Mohamad Charaf, Oracle Enterprise Cloud Architect. If you have two tenancies in the same region, and you want to copy data that is stored in Object Storage from one tenancy to the other without making the buckets public, this action requires some additional types of identity and access management (IAM) policies. This blog post walks you through how to create these policies. For this example, the source tenancy is named ACMEBMCS and the destination tenancy is named ACMEOCISA. In ACMEBMCS, the Object Storage buckets are in the benchmark compartment. In ACMEOCISA, the target compartment is oracleexa . The follow
Read more

Religious Perspectives on Artificial Intelligence: My views

Image
  I am an Atheist. Born in a Hindu family, I have experimented with Christianity and Buddhism. Jokingly, I describe my journey from Many Gods to One and then None. I followed Hinayana Buddhism for a long time. Lately, I have been studying Lokayata/Carvaka school of the Hindu Darsana (philosophy). I like to be identified as a Hindu Atheist. Why Hindu? Because my birthplace is on the east side of the River Indus.
Read more

The Legal Rights of an Algorithm

Image
  At first glance, you might think how it’s possible for something that doesn’t have a mind, body, or soul to have any legal entitlement. After all, algorithms don’t have physical attributes, and their existence can’t be easily tracked unless you’re a tech specialist responsible for creating them.  However, while algorithms don’t have any physical attributes, they have become smarter over time, mimicking human behaviors and traits to produce actionable results. Initially, algorithms started as simple data sets combined in several valuable ways to create patterns. They generate suggestions and solutions that help guide you, whether you’re on social media or search engines, while also providing insights within several fields, including the legal, medical, and marketing fields. Algorithms also consistently correct their mistakes without requiring human intervention.  Believe it or not, algorithms have legal rights too. While many users are skeptical about algorithms because of security an
Read more