Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
DevSecOps for Azure

You're reading from   DevSecOps for Azure End-to-end supply chain security for GitHub, Azure DevOps, and the Azure cloud

Arrow left icon
Product type Paperback
Published in Aug 2024
Publisher Packt
ISBN-13 9781837631117
Length 342 pages
Edition 1st Edition
Tools
Concepts
Arrow right icon
Authors (2):
Arrow left icon
David Okeyode David Okeyode
Author Profile Icon David Okeyode
David Okeyode
Joylynn Kirui Joylynn Kirui
Author Profile Icon Joylynn Kirui
Joylynn Kirui
Arrow right icon
View More author details
Toc

Table of Contents (14) Chapters Close

Preface 1. Part 1: Understanding DevOps and DevSecOps
2. Chapter 1: Agile, DevOps, and Azure Overview FREE CHAPTER 3. Chapter 2: Security Challenges of the DevOps Workflow 4. Part 2: Securing the Plan and Code Phases of DevOps
5. Chapter 3: Implementing Security in the Plan Phase of DevOps 6. Chapter 4: Implementing Pre-commit Security Controls 7. Chapter 5: Implementing Source Control Security 8. Part 3: Securing the Build, Test, Release, and Operate Phases of DevOps
9. Chapter 6: Implementing Security in the Build Phase of DevOps 10. Chapter 7: Implementing Security in the Test and Release Phases of DevOps 11. Chapter 8: Continuous Security Monitoring on Azure 12. Index 13. Other Books You May Enjoy

Understanding the product aspect of DevOps – The toolchain

While DevOps itself is not a tool or product, it requires the use of tools to effectively implement its processes and practices. Both open source and commercial tools are available to support the necessary processes for every phase of the DevOps workflow discussed earlier in this chapter (Plan, Code, Build and Test, Release and Deploy, and Operate and Monitor).

Common tools used in the planning phase include Trello, JIRA, Notion, and Asana. According to the latest Stack Overflow Developer Survey, professional developers prefer JIRA (49%), whereas Trello is most used by those learning to code (43%):

Figure 1.10 – Common tools used in the planning phase

Figure 1.10 – Common tools used in the planning phase

During the code and development phase, developers use integrated development environments (IDEs), such as Visual Studio Code, Visual Studio, IntelliJ, Notepad++, and Eclipse, for coding purposes and version control tools, such as Git (self-hosted or cloud-hosted), Apache Subversion (SVN), Perforce, and Mercurial. It is important to note that while this list highlights some of the more common tools, it is by no means exhaustive. There are countless other tools available on the market, each with its unique features and capabilities. According to the 2022 Stack Overflow Developer Survey, professional developers overwhelmingly prefer Git as their version control tool (96%) and Visual Studio Code as their IDE (74%):

Figure 1.11 – Common code and development tools

Figure 1.11 – Common code and development tools

Important note

The Stack Overflow Developer Survey is an annual survey conducted by Stack Overflow, a popular online community for developers. The survey aims to gather insights into the preferences, opinions, and demographics of the developer community. The 2022 edition can be found here: https://survey.stackoverflow.co/2022.

In the build and test phase, tools such as Jenkins (an open source automation server), Travis CI, and Circle CI are widely used for continuous integration and to build and test automation. According to a recent survey by Digital.ai, Jenkins is used by 56% of DevOps teams, showing its popularity in the industry. In addition, test tools such as Selenium, Junit (a unit testing tool for Java), Nunit (a unit testing tool for .NET), PHPUnit (a unit testing tool for PHP), and Jmeter (a load testing tool for performance testing) can be integrated with build automation servers to facilitate testing procedures. Container build tools such as Docker Build (a tool for building container images from a Dockerfile), Podman Build (a tool for building and managing containers using Containerfiles and Dockerfiles), Buildah (an open source tool for creating and modifying container images), and Kaniko (a secure container build tool designed for Kubernetes clusters) can also be integrated to streamline container image building.

Figure 1.12 – Common tools used in the build and test phase

Figure 1.12 – Common tools used in the build and test phase

During the release and deploy phase, developers use various tools to automate deployments. The following table shows some of the tools used in the release and deploy phase:

Deployment

GoCD

An open source continuous delivery tool that automates deployment pipelines

Octopus Deploy

A deployment automation and release management tool

TeamCity

A build management and continuous integration server

Spinnaker

An open source, multi-cloud continuous delivery platform

ArgoCD

A declarative continuous delivery tool for Kubernetes

Infrastructure as Code

Terraform

An open source infrastructure-as-code software tool

Azure ARM templates

A deployment tool that allows for the definition of the infrastructure and configuration of Azure resources

Azure BICEP templates

An ARM template language replacement for deploying Azure resources

AWS Cloud Formation templates

An open source multi-cloud continuous delivery platform

Container deployment

Helm charts

A package manager for Kubernetes that helps manage Kubernetes applications

Kubernetes manifest files

A YAML or JSON file that defines the desired state of the Kubernetes objects

Configuration management tools

Ansible

An open source automation engine that automates software provisioning, configuration management, and application deployment

Chef

A configuration management tool that helps automate infrastructure

Puppet

An open source tool for managing the configuration of Unix, Linux, and Microsoft Windows servers

PowerShell Desired State Configuration (DSC)

A PowerShell extension that enables the configuration of Windows systems

Table 1.1 – Tools used in the release and deploy phase

During the operate and monitor phase, several tools can be used. Some are highlighted in the following table:

OpenTelemetry

An open source observability framework for generating and collecting telemetry data from applications and infrastructure

Jaeger

An open source, distributed tracing system for monitoring and troubleshooting microservices-based applications

Zipkin

An open source, distributed tracing system for collecting, analyzing, and visualizing traces of requests through microservice architectures

Prometheus

An open source monitoring system and time-series database for collecting and querying metrics from applications and infrastructure

Table 1.2 – Tools used in the operate and monitor phase

A tool such as Prometheus can be used to instrument application code and generate telemetry data such as metrics, logs, and traces. Prometheus, Grafana, and ELK stack (Elasticsearch, Logstash, or Kibana) can be utilized to monitor the performance and availability of applications and infrastructure, providing insights into potential issues and enabling proactive remediation.

Collaboration and communication tools such as Slack, Microsoft Teams, Azure Boards, and Atlassian Confluence can be used to facilitate communication and collaboration between teams, helping to streamline workflows and improve productivity.

Developers have access to a wide variety of tools for each phase that extends beyond the ones we have mentioned. To understand the abundance of tooling options available, we suggest referring to the cloud-native landscape map provided by the Cloud Native Computing Foundation (CNCF) at https://landscape.cncf.io/. The map (Figure 1.13) is designed to help people navigate the various tools, technologies, and platforms that are available in the cloud-native space. It showcases tooling across several categories, such as application development, continuous integration and delivery, automation, and configuration.

Figure 1.13 – A screenshot of the CNCF landscape map

Figure 1.13 – A screenshot of the CNCF landscape map

As teams adopt DevOps practices, they often select multiple tools based on preferences rather than considering overall compatibility with the organization’s DevOps strategy (unfortunately, many organizations do not have a defined strategy for adopting DevOps). As a result, fragmented toolchains can be a common occurrence where different teams and product units use different tools that may not integrate or work well together, hindering the ability to scale software delivery and leading to governance challenges. With multiple tools in use, it can be difficult to establish and enforce governance and compliance policies related to access control and data privacy. To address these challenges, a platform approach to tooling may be preferred.

The platform approach to DevOps tooling

Instead of using multiple disjointed tools for each stage of the DevOps workflow, some organizations opt for a platform strategy that offers a single integrated platform with tools for each phase. This approach can simplify the DevOps tooling landscape, making it easier to manage and reducing the need for manual integration between different tools.

Based on industry reports and surveys, here are five of the most commonly used and highly regarded commercial DevOps platform offerings:

  • GitLab: An all-in-one DevOps platform that provides a single application for source code management, continuous integration, testing, and deployment.
  • Azure DevOps: A Microsoft cloud-based platform that offers a set of DevOps services for developers to plan, develop, test, and deploy applications.
  • GitHub: Another Microsoft cloud-based platform that offers a set of DevOps services for developers to plan, develop, test, and deploy applications.
  • Atlassian: Atlassian offers a range of tools for DevOps teams, including Jira for issue tracking, Bitbucket for source code management, and Bamboo for continuous integration and deployment.
  • Amazon Web Services (AWSs) DevOps: AWSs offers a suite of tools and services for DevOps, including AWS CodePipeline, AWS CodeCommit, and AWS CodeDeploy.

Two of these platforms are Microsoft offerings that bring the tools needed to implement DevOps processes together in one place: Azure DevOps and GitHub.

An overview of the Azure DevOps platform

Azure DevOps is a Microsoft cloud platform with services that help teams implement DevOps processes. To use it, we need to create an Azure DevOps Organization (Figure 1.14). Within the organization, we can create separate projects for different software projects that we are working on, as shown in Figure 1.14. Within each project, we have access to the services that we can use to implement DevOps processes, and we can organize teams to work on different parts of the project:

Figure 1.14 – Azure DevOps Organization hierarchy

Figure 1.14 – Azure DevOps Organization hierarchy

The Azure DevOps platform has five core services. These services are connected to key practices in the development process, such as planning, controlling changes to code, and testing. These are the five core services of Azure DevOps:

  • Azure Boards for planning
  • Azure Repos for controlling code changes
  • Azure Pipelines for continuous integration and delivery
  • Azure Artifacts for package management
  • Azure Test Plans for exploratory test planning
Figure 1.15 – Azure DevOps core services

Figure 1.15 – Azure DevOps core services

Let’s briefly look at these five services, starting with Azure Boards:

  • Azure Boards: A tool that helps us to plan, track, and visualize work, similar to JIRA. It can be used with Scrum or Kanban methods and has four different templates from which to choose. It also has interactive boards and reporting tools to help us keep track of our work.
  • Azure Repos: A source control management service for managing changes to code. It works with two types of code management: Git and team foundation version control (TFVC). It is also integrated with other services in Azure DevOps for traceability.
  • Azure Pipelines: A tool that helps us to automatically build, test, and deploy code. It can be used to implement the process of continuous integration and continuous delivery. It works with many different types of programming languages and platforms, including Python, Java, PHP, Ruby, C#, and Go. We can also use it to deploy your code to various types of targets, including on-premises servers or cloud services.
  • Azure Artifacts: A tool that helps us to store, manage, and organize software packages. We can choose and control who we want to share packages with. It allows us to download packages from upstream sources. It works with different types of packages, such as NuGet, NPM, Maven, Universal, and Python.
  • Azure Test Plans: A cloud-hosted test management solution that we can use to plan and track the results of different types of tests. We can use it to plan and track manual tests, user acceptance tests, exploratory tests, and even automated tests. We can use any supported browser to access the tool and run manual tests through an easy-to-use web portal. It supports end-to-end traceability for tracking the progress and quality of our requirements and builds and provides us with data and reports to improve our testing processes.

One good thing about the Azure DevOps platform is that we’re not forced to use its services. We can choose which services we want to use for a software project and turn off the ones we don’t need (Figure 1.16).

Figure 1.16 – Enable/Disable Azure DevOps services

Figure 1.16 – Enable/Disable Azure DevOps services

An overview of the GitHub platform

The GitHub platform provides a variety of product options to accommodate teams and organizations of varying sizes. The options include the following:

  • GitHub Free: This is a free, basic version that is good for small personal projects or open source projects.
  • GitHub Pro: This is a paid version that has extra features such as advanced protection capabilities, protected branches, and code owners. It’s good for developers who need more advanced tools.
  • GitHub Team: This version includes all of the features of GitHub Pro and has team management tools. It’s good for teams that need to collaborate on projects. If your organization has 11 or fewer developers, consider GitHub Team.
  • GitHub Enterprise: This version is for large organizations that need even advanced features such as SAML single sign-on (SSO), data residency compliance, and advanced security capabilities. It’s good for large organizations that need to follow specific security and regulatory requirements. Organizations with 12 or more developers typically benefit the most from GitHub Enterprise. The Enterprise version also offers two options: Enterprise server, which is hosted on customer-managed infrastructure, and Enterprise cloud, which is cloud-hosted.
Figure 1.17 – GitHub platform product options

Figure 1.17 – GitHub platform product options

Throughout the remainder of this book, our focus will be on the GitHub Enterprise Cloud product offering. For us to use GitHub Enterprise Cloud, we need to create a GitHub Organization (Figure 1.18). An organization is a shared, private GitHub account where enterprise members can collaborate across many projects at once. Within the organization, we can create repositories, which are like projects in Azure DevOps. It is a good idea to create a separate repository for each project that the organization is working on.

Figure 1.18 – GitHub Organization hierarchy

Figure 1.18 – GitHub Organization hierarchy

A company can have multiple GitHub organizations. To simplify visibility, management, and billing, it is recommended to create an enterprise account to manage all organizations that belong to your company (Figure 1.19). Creating an enterprise account is optional, but it is free and will not add any additional charges for GitHub Enterprise Cloud customers. Even if a company only has one organization, it is still beneficial to create an enterprise account. With an enterprise account, we can manage and enforce policies for all the organizations owned by our company. We can even choose policies that we want to enforce at the enterprise level while allowing organization owners to configure other policies at the organization level.

Figure 1.19 – GitHub Enterprise Account

Figure 1.19 – GitHub Enterprise Account

The GitHub Enterprise Cloud platform offers a range of services that we can use for different stages of the code-to-cloud process. These services include the following:

  • Projects for planning, organizing, collaborating, and tracking software development projects.
  • Codespaces for writing code in a cloud-based development environment.
  • Copilot for machine learning-assisted code writing.
  • Repos for managing private and public code repositories.
  • Actions for automating building, testing, and deployment of code.
  • Packages for sharing and discovering reusable code packages.
  • Security for scanning and detecting security issues in code repositories.

The following image shows the layout of the GitHub services:

Figure 1.20 – GitHub services

Figure 1.20 – GitHub services

Let’s briefly look at these five services, starting with GitHub Projects:

  • GitHub Projects: A tool that we can use to plan, organize, and keep track of software projects. We can use it to assign tasks, collaborate with others, and add extra information to keep track of progress. It also has the capability to report on completed and outstanding work.
  • Codespaces: This offers a convenient cloud-based development environment where developers can run, test, debug, and push code without the need for local machine setup. Upon creating a codespace, developers are automatically provided with an already configured system that includes SDKs and runtime for various languages such as Python, Node, Docker, Java, Rust, Go, and C++. The default image can be fully customized to suit individual or team needs, allowing for a faster setup time for each repository.
  • GitHub Copilot: An AI pair programmer tool powered by OpenAI Codex, a machine learning model developed by OpenAI (a popular AI research and deployment company). Copilot provides code suggestions as developers write code in their IDEs. It can also interpret natural language comments and turn them into code. It supports multiple programming languages as it is trained on all languages that appear in public repositories. Copilot can be used as an extension in supported IDEs, such as Visual Studio Code, Visual Studio, Neovim, and the JetBrains suite of IDEs.
  • GitHub Repos: A source control management service for managing changes to code. Unlike Azure DevOps, it only supports Git, which is a distributed source control. It is also integrated with other services in GitHub for traceability.
  • GitHub Actions: A tool that helps us to automatically build, test, and deploy code. It can be used to implement the process of continuous integration and continuous delivery. It works with many different types of programming languages and platforms, including Python, Java, PHP, Ruby, C#, and Go. We can also use it to deploy code to various types of targets, including on-premises servers or cloud services.
  • GitHub Packages: A tool that helps us to store, manage, and organize software packages. We can choose and control who we want to share packages with. It allows us to download packages from upstream sources. It works with different types of packages, such as NuGet, NPM, Maven, Universal, and Python.
  • GitHub Advanced Security: This provides a range of tools to secure code in our repositories. It scans for vulnerable dependencies and allows us to automatically raise pull requests to fix them. It detects security vulnerabilities and coding errors in new or modified code. It can also identify any tokens or credentials accidentally committed to a repository. We will discuss this service in detail in the later chapters of this book.

Let’s have a quick look at another DevOps platform: GitLab.

An overview of the GitLab platform

GitLab is a web-based Git repository management tool that provides an end-to-end DevOps solution. Similar to other DevOps platforms, GitLab also has core services that support various stages of the DevOps workflow. These services are the following:

  • GitLab Issues: It is an Agile project management tool that helps teams to plan and organize their work using either Scrum or Kanban methodologies. With GitLab Boards, teams can easily track their progress, visualize their work, and collaborate with team members.
  • GitLab Repository: GitLab is primarily known for its version control system. It provides a centralized platform for teams to store, manage, and collaborate on their codebase using Git. Teams can use GitLab Repository with either Git or Mercurial, and they can easily import their codebase from other repositories.
  • GitLab CI/CD: GitLab’s CI/CD tool allows teams to automate their software delivery processes. GitLab CI/CD enables teams to build, test, and deploy their applications across various environments in a secure and efficient manner.
  • GitLab Container Registry: GitLab Container Registry is a built-in container registry that enables teams to store, manage, and deploy their Docker images. Teams can use GitLab Container Registry to create and manage their images and then deploy them to their preferred platform.
  • GitLab Monitor: GitLab Monitor is a monitoring tool that provides real-time visibility into the performance of applications and infrastructure. Teams can use GitLab Monitor to monitor the health of their applications and infrastructure, detect issues, and resolve them quickly.

GitLab is also highly configurable and customizable. Teams can easily customize the platform to fit their needs and preferences. GitLab supports various integrations and has a vast ecosystem of third-party extensions and plugins that teams can use to extend their functionalities.

Azure services for the DevOps workflow

Microsoft Azure offers a wide range of tools and services that can integrate well into a DevOps workflow. A broad range of tools and services for secret management, configuration management, load testing, chaos engineering, and app hosting/deployment, as well as comprehensive monitoring and observability capabilities.

Figure 1.21 – Azure Cloud-native services for DevOps

Figure 1.21 – Azure Cloud-native services for DevOps

Figure 1.21 highlights some of the tools that can be used in the different stages of the DevOps workflow. Let us review some of these services and how they fit in:

We have various services to host our applications:

  1. Build phase:
    • Azure Key Vault: This offers secure secret management, allowing developers to store and retrieve sensitive information such as API keys, passwords, and certificates.
    • Azure App Configuration: This enables centralized configuration management, providing a way to store and retrieve application settings across multiple environments.
  2. Test phase:
    • Azure Load Testing: This allows for the stress testing and performance testing of applications by simulating user traffic and analyzing system behavior under load.
    • Azure Chaos Studio: This facilitates chaos engineering experiments by introducing controlled disruptions and failures to test system resiliency.
  3. Release phase: Azure offers several computing options for app hosting and deployment:
    • Virtual machines (VMs) and VM scale sets: These offer flexibility to deploy and manage virtual machines for hosting applications.
    • App Services: This provides a platform to host web and API applications without worrying about infrastructure management.
    • Function Apps: This enables the development of serverless functions to execute code on demand.
    • Container Services: This supports containerized application deployments with options such as Azure Container Instances for lightweight workloads or Azure Kubernetes Service for orchestrating and scaling containerized applications.
  4. Operate and monitor phases:
    • Azure Monitor: This offers comprehensive monitoring and diagnostics for applications and infrastructure, allowing teams to gain insights into system performance and health.
    • Application Insights: This provides real-time application performance monitoring and logging, allowing developers to detect and diagnose issues quickly.
    • Managed Grafana for observability: This integrates Grafana, a popular open source observability platform, with Azure services, enabling advanced data visualization and analysis for monitoring and troubleshooting.

Keep in mind that the examples mentioned here are just a few, and we will encounter more services as we progress. Throughout this book, we will explore various Azure services that support DevOps practices and enhance the software development process, particularly those related to security use cases.

For now, just note that DevOps and cloud computing go hand in hand, as both are designed to enable faster software development and deployment. The cloud provides a scalable and flexible infrastructure that can support the demands of modern software development and services that enhance the process, and DevOps provides a framework for efficiently managing and deploying software in the cloud.

Now that we have explored the fundamental concepts of Agile, DevOps, and cloud computing, let us examine how these three elements come together to enable modern software development practices.

You have been reading a chapter from
DevSecOps for Azure
Published in: Aug 2024
Publisher: Packt
ISBN-13: 9781837631117
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image