Integrating Security with DevOps on Oracle Cloud

Integrating Security with DevOps on Oracle Cloud (Part 2 of 5)

Sanjay Basu
This post is part 2 in our blog series about how we integrate security with a generic DevOps-based application development process. In part 1, we defined DevOps methodology and practices, focusing on how to integrate continuous security into the larger DevOps process to support continuous application development and operation.

In this post, we cover some of the fundamental infrastructure components, such as cloud firewall services, identity management services, and continuous patching without downtime.

Network and Application Security Services

When you develop an application, or add or remove features, it’s essential to ensure that only required TCP ports are open. Opening ports that aren’t required can lead to exploits and compromises caused by vulnerabilities in the OS or supporting applications. The following figure shows the danger of keeping TCP ports open and accessible to nontrusted networks.
Diagram courtesy of https://geekflare.com/port-scanner-server/
In the previous post, we talked about how to integrate continuous security testing in the CI/CD pipeline. Generally, you could use an NMAP-based scanning tool for your internet-facing applications.
Most of the time, you need to keep some of these less secure ports—such as 123 for NTP, 69 for TFTP, or 137 for NetBIOS—open for supporting services and the application to work correctly. But you should ensure that these ports aren’t exposed to nontrusted networks by using firewall services.

Use Firewalls to Restrict Access

In Oracle Cloud Infrastructure, firewall services aren’t treated as a separate security control. Instead, they are fundamental components that can be manipulated through Infrastructure as Code (IaC). When you are developing application features, you should programmatically update or modify these firewall parameters. Oracle Cloud Infrastructure firewall services provide port filtering at the virtual cloud network (VCN) subnet level (security lists) and microsegmentation within a subnet at the VNIC level (network security groups). These services have well-defined APIs and SDK support.
All the major security and firewall vendors have products certified on Oracle Cloud Infrastructure. Some of our major security partners in the firewall technology area are CheckPoint, Cisco, Palo Alto, Fortinet, A10, and Aviatrix. They all provide a solid set of APIs and SDKs to programmatically configure their products on Oracle Cloud Infrastructure as virtual or bare metal appliances.

Protect Applications Listening on Open Ports

After closing down access to certain TCP ports, the next big security task is to protect the application listening on required open ports. For this kind of application security, a web application firewall (WAF) is typically used. Oracle Cloud Infrastructure WAF can be enabled with the Oracle Cloud Infrastructure Load Balancing service and configured using APIs and SDKs as part of IaC. We’ve also introduced next-generation runtime application self-protection (RASP) products through partners such as Imperva and Run Safe Securities. Using Terraform and Ansible, we can automate the instantiation and installation of these products as part of the application security configuration during application development cycles.
We've also programmatically integrated other Oracle Security products, such as Cloud Access Security Broker and Identity Cloud Services, to continuously monitor, protect, and authenticate application code and cloud resources a part of the DevOps processes and phases.

Patch Operating Systems

The next big task is to protect and continuously patch the OSs of the underlying hosts on which the applications or containers run. Oracle Autonomous Linux, along with the upcoming OS Management Service, addresses this continuous OS patching requirement. This service will use Oracle Ksplice to maintain and manage patches without restarting the instances. Ksplice is preinstalled in all Oracle Linux instances, and it’s available for Ubuntu Linux. For CentOS and Red Hat Linux, it can be easily installed automatically through an init script. The command and output look as follows:
Ksplice tracks of all the patches every time a library is modified, and it keeps the patch level updated. For more information about Ksplice, see this blog post.

Continuous Security with Automated Test and Deployment Pipeline

All the preceding security tasks can be integrated with the DevOps CI/CD pipeline tasks for continuous automated deployment.
The Oracle Cloud Infrastructure services and partner products mentioned in this post are integral components of the continuous security process (see the “Pillars of Continuous Security” section in part 1 of this series):
  • The Oracle Cloud Infrastructure firewall and WAF services, and partners’ RASP products, can be integrated with Jenkins to provide test-driven security.
  • With external penetration and exploit testing tools, remediation actions can be coded and automated as part of the automated response process.
  • Oracle Cloud Access Security Broker provides an exhaustive list of cloud security controls and risk assessment services based on automated machine learning, and is part of the continuous security risk assessment process.

Resources and Acknowledgments

For more information, see the following resources:
I’d like to extend a sincere thanks to Johnnie Konstantas for technical review.

What's Next

The next three parts of this series will explore the following topics:
  • Part 3 focuses on securing IaC. It covers how to achieve deployment security (Terraform and Ansible) and network access and entry point security; how to test security lists and add a bastion host; and how to secure database access by using table encryption, roles, and permissions, and asserting permissions through a deployer; and about data security at rest and during migration.
  • Part 4 is all about securing transmission. It covers various cryptography technologies pertaining to PKI and SSL/TLS (TLS handshake, PFS); how to enable HTTPS and obtain certificates; and best practices for using certificates on load balancers, including testing TLS and enabling Strict Transport Security and Public Key Pinning.
  • Part 5 covers the secure delivery pipeline. It covers best practices for managing access controls and permissions for GitHub, the Oracle Cloud Infrastructure Registry, and Oracle Cloud Infrastructure public APIs. It also covers Oracle Cloud access controls—managing permissions by using instance principals and compartment policies, and best practices for distributing secrets.

Comments

Securium Solutions said…

Cloud Access Security Broker is a secure application designed to protect the cloud and associated information from vulnerabilities. To get Cloud Access Security Broker Services in India, Securium Solutions is one of the best companies for giving cyber security services.
April 2, 2021 at 4:32 AM
Post a Comment

Popular posts from this blog

Easy Text-to-Speech with Python

Image
Text-to-speech (TTS) technology reads aloud digital text. It can take words on computers, smartphones, tablets and convert them into audio. Also, all kinds of text files can be read aloud, including Word, pages document, online web pages can be read aloud. TTS can help kids who struggle with reading. Many tools and apps are available to convert text into speech. Python comes with a lot of handy and easily accessible libraries and we’re going to look at how we can deliver text-to-speech with Python in this article. Source:  https://www.youtube.com/watch?v=eiP-12qHM-c Different API’s are available in Python in order to convert text to speech. One of Such API’s is the Google Text to Speech commonly known as the gTTS API. It is very easy to use the library which converts the text entered, into an audio file which can be saved as a mp3 file. It supports several languages and the speech can be delivered in any one of the two available audio speeds, fast or slow. More detai
Read more

Dependencies between DAGs in Apache Airflow

Image
  A DAG that runs a “goodbye” task only after two upstream DAGs have successfully finished. This post explains how to create such a DAG in Apache Airflow In Apache Airflow we can have very complex DAGs with several tasks, and dependencies between the tasks. But what if we have cross-DAGs dependencies, and we want to make a DAG of DAGs? Normally, we would try to put all tasks that have dependencies in the same DAG. But sometimes you cannot modify the DAGs, and you may want to still add dependencies between the DAGs. For that, we can use the  ExternalTaskSensor . This sensor will lookup past executions of DAGs and tasks, and will match those DAGs that share the same  execution_date  as our DAG. However, the name  execution_date  might be misleading: it is not a date, but an instant. So DAGs that are cross-dependent between them need to be run in the same instant, or one after the other by a constant amount of time. In summary,  we need alignment in the execution dates and times. Let'
Read more

Better File Storage in Oracle Cloud

Image
Use Oracle Application Express with Oracle Cloud Infrastructure REST APIs to upload, download, and manage big files in Oracle Cloud. By Adrian Png November 27, 2019 Oracle Cloud Infrastructure  provides a comprehensive suite of REST APIs for accessing and managing cloud resources. For example, administrators can use REST APIs to create and manage autonomous databases and initiate backups. Oracle Application Express (Oracle APEX)  makes working with REST easy. The  APEX_WEB_SERVICE  package, available since Oracle APEX 4.0, provides developers with a function for consuming REST APIs. Oracle APEX 5.0 introduced the  APEX_JSON  package, allowing easy parsing of JSON responses. Oracle APEX 18.1 introduced the Web Source Module (WSM), which enables developers to access REST services and use the data in APEX components such as reports, interactive reports, and interactive grids. These features, when used together with Oracle Cloud Infrastructure REST APIs, enable APEX developers
Read more