What is the missing puzzle in DevOps ?

Application modernization is always the momentum that keeps business moving into the right direction of growth. Right now microservices is in the core of the current modernization campaign all over the place. And it is currently moving from being a trend, into a defacto deployment running mission critical applications and replacing obsolete and traditional systems across the enterprise environments.

The microservices architecture is based on several components and methods and main part of these essential components are the containers and the DevOps pipeline. which are now the backbone of most prestigious services and apps in the market.

DevOps pipeline is good way that keep development and operation teams working together in an agile way but is it enough ? or let me put this way .. is it enough for building an enterprise grade system ? or there should be another factor that could be part of the equation?

By default a security checkpoint must be held before any new app deployment into production. But having the security outside of the pipeline just slow down the deployment and bring us back to the silos again. so that's why a lot of engineering firms are implementing now the concept of DevSecOps where we can observe a new flavor of a security team who lives by the concepts of microservices!

So how can we put this DevSecOps pipeline into practice? actually there are a lot of tools, books,courses that can show you how.. but today I'm going to touch point on the best practices that I have seen in the market so far and I would like to share it with you.

First deploying your container platform behind a firewall is a good practice, but it doesn't guarantee that it won't be attacked !

Imagine building a wall around your company but then anyone who can get legitimately inside can access whatever floor, office, documents, desktop he likes. Because all of these things are left unlocked , no one will do this right?

The only reason that this can happen that you trust anyone crossing the outside wall, which is not a realistic approach! and that's why several security frameworks has been developed and for instance the zero trust framework where you put a lock on each components to make sure whoever access it has the relevant and correct role & access. Not just to cross the wall , but to get into the floor and to set in that designated office.

I will share with you 10 quick steps to make sure that your container deployment has the basics security practices covered.

1- Prior to the build, make sure you are using a trusted image that is provided from a trusted vendor or organization because simply it is hard to know what is in there ?

2- We still have not build anything yet, make sure you store your images in a private registries where you know who has access to what exactly there. because might be an individual who can just replace your good copy with his own miscellaneous one.And this can be applied in practice using registry policy access list.

3- Now you build your image on an Kubernetes based orchestrator, so you got make sure that you are using role based access control on the platform to control individual and applications activities inside your cluster.

4- When you deploy your container make sure it is deployed in a secure namespace, dedicated for the application and also secured by RBAC. so you guarantee another level of security within the app on the same platform.

5- Control the network traffic ingress and egress of your application so you can isolate between the containers inside the cluster and with the rest of the environment in the outside world.

6- Prior to the deployment make sure that your container doesn't have a root access to the kernel. otherwise whoever got access to this container can manipulate your machine on his own way.

7- If your application needs an access to the kernel to stop a process or mount a volume, in this case you can configure it using security context constraint. but if it needs a complete root access to the kernel you got to consider deploying those application using sandbox containers where it emulates another dedicated kernel for your container.

8- This one sounds obvious but a lot of companies are not doing it! please use a certified operating system into your production environment. reasons: Secure code,CVEs management, fixes and patches ..etc.

9- Perform security scans to your cluster. a lot of security scans tools are now available to inspect and remediate vulnerabilities.

10- Use secrets and config maps while dealing with variables inside the platform.

Finally this was a list of quick best practices that can help you secure your application and apply the concept of DevSecOps into your environment. There are a lot of other practices that can be added to the list and tools as well. So I would love to hear your feedback and open the discussion around that topic so we can learn from each other.