By

Rohit K Singh
INTRODUCTION
1. DevSecOps Vs DevOps
2. Continuous Integration
3. Continuous Deployment & Delivery
4. Security Integration
5. Tools
Rohit K Singh
DEVSECOPS VS DEVOPS

Rohit K Singh

Security
CONTINUOUS INTEGRATION

Rohit K Singh
Work-flow • Build o Merging the codes with remote repos
o Compiling source code
• Test
o Running UNIT / Automated test cases
• Release o Publishing build artifacts
• Deploy

Continuous Integration

Rohit K Singh
CONTINUOUS DEPLOYMENT &
DELIVERY

Rohit K Singh
Continuous Delivery: Upper
Lower Pre -Approval Pre -Approval

Build Dev QA Stage Prod

Post -Approval Post -Approval

 Continuous delivery is an automated release process, we can deploy our application at any
time by clicking a button
 With continuous delivery, you can decide to release daily, weekly, fortnightly, or whatever
suits your business requirements
 With continuous delivery, codes get deployed in lower environments without manual
intervention but for upper environments deployment manual approval is the must
Rohit K Singh
 Continuous Deployment:
Lower Upper

Build Dev QA Stage Prod

 Continuous deployment goes one step further than continuous delivery

 With continuous deployment, every change that passes all stages get deployed till the
production environment without human intervene
 With continuous deployment, only a failed test will prevent a new change to be deployed to
production
 With continuous deployment, we can completely bypass release day and accelerate the
feedback loop with customers Rohit K Singh
Integrating Security at each stage:

Pre-
Develop Commit IDE Plugins
Hooks

GIT Code Scan Vaults

Mutation
TEST Unit Test
Test
SAST

Container
Dependen
BUILD ARTIFACTS
cy-checks
Image-
Scan

Complianc Functionalit
Deploy DAST
y-checks
e Checks

Monitor Apps Network Infrastructure Rohit K Singh

TOOLS

Rohit K Singh
Rohit K Singh
 SECTION-2
1. Virtual Machine creation
2. Software Installation
3. Use-Case
4. Maven Basic
5. Basic Jenkins build/deploy pipelines creation
Rohit K Singh
 Hardware
Requirement

Software Installation:

 Docker
 Java 11, Maven
 Jenkins
 Docker
 Kubernetes components (kubectl,
 Operating system: Ubuntu:18.04 kubeadm, kubelet)
 HDD: 128 GB  CNI – Weave Net
 CPU: 2 vCPU
 Memory: 4 GB
 Static IP
 Network Policy: Allow All

Rohit K Singh
USE-CASE

Rohit K Singh
http://localhost:8080/increment/99 Port -- 8080

100

http://localhost:5000/plusone/99
100
/compare

Rohit K Singh
/
Port -- 5000
MAVEN

Rohit K Singh
MAVEN
• Maven, a Yiddish word meaning accumulator of knowledge, was built as an attempt to simplify
the build processes
• Maven is a powerful project management tool that is based on POM (project object model)
• It is used for project build, dependency, and documentation
Helps Us with:

o Builds
o Documentation
o Reporting
o SCMs
o Releases
o Distribution
New features migration Provides project Information

(log document, cross-referenced sources,

mailing list, dependency list, unit test reports
Simplify build process etc.)
Uniform build process
Rohit K Singh

(maven project can be shared by all the maven projects)

POM (project object model)
• POM.xml files contain project and configuration information for Maven to build the project
• The POM files have information such as project dependencies, source directory, and test source directory.
plugin, goals, etc

Root element of pom.xml file

It specifies the model version
It specifies project group ID
It specifies project artifacts ID
Defines packaging types such as jar, war, etc.
Artifacts version
Defines the name of the maven project

Rohit K Singh
 SECTION-3
1. Adding Security to the pipelines
• GIT Hooks – Talisman
• UNIT Test Integration
• Code Coverage - Jacoco
• Mutation – PIT

2. Adding multiple scanning capabilities

• Dependency-Checks
• Image Scan – Trivy
• DockerFile scan – OPA
3. SAST - SonarQube
Rohit K Singh
LINUX

Rohit K Singh
 Objectives:

File System
Essential User & Group
&
Commands Management
Permissions

Linux Package Rohit K Singh

Editor Management
 Shell Types:
 Shell is a program that takes commands from the keyboard and gives them to the operating system to perform

 Bourne Shell (sh)

 C Shell (csh or tcsh)  echo $shell {To check current shell}
 Korn Shell (ksh)  chsh {To change shell}
 Z Shell (zsh)  cat /etc/shells
 Bourne again Shell (Bash)

Features of BASH:

 ls Documents
o Bash Auto-Completion  alias dt=date
o Alias  history Rohit K Singh
o Command History
 Basic Commands:
Commands & Arguments:

Rohit K Singh
 Basic Commands:
Commands Types:

 External Commands:
 Internal and Build-In Commands: • mv
• echo • date
• cd • Uptime
• pwd etc • cp etc

Absolute & Relative Path:

• An absolute path is a complete path from start of actual file system from / directory
• Relative path is defined as the path related to the present working directly(pwd)
Rohit K Singh
 Basic Commands:
 $pwd {present working directory}
Pager:
 $ls (List Content)  $more
o $Ls –a (All files, including hidden)  $less
o $Ls –l (Long List)
o $Ls –lt (Long list in order it created) Command line Help:
o $Ls –ltr (In reverse order)  $whatis date
 $Man date
 $mkdir (make a new directory)  Date –help
 $cd (Change directory)
 mv (Move file or directory)
 cp (copy file)
 cp –r (copy directory)
 rm (remove file) Rohit K Singh
 rmdir (remove directory)
 $touch (Create file)
 $cat (Open file read-only)
Filesystem Hierarchy: / (Root Partition)

/bin /boot /dev /home /mnt /media /opt /tmp /usr

/etc /lib /var

Rohit K Singh
File Types:

$ls –ld {to list directories}

Rohit K Singh
 File Permissions:
r w x
- rwx rwx r-x 4 2 1
Owner Group Others
u g o

Rohit K Singh
File Permissions:

Provide full access to Owners

Provide Read access to Owners,

groups and others, Remove
execute access

Remove all access for others

Full access for Owner, add read,

remove execute for group and no
access for others

Rohit K Singh
File Permissions:

Provide full access to Owners, group

and others

Provide Read and execute access to

Owners, groups and others

Read and Write access for Owner

and Group, No access for others

Full access for Owner, read/execute

for group and no access for others

Rohit K Singh
 User & Group Management:

User Information:

cat /etc/passwd

Group Information:

cat /etc/group

Rohit K Singh
 User & Group Management:
Account Types: Commands:

- User Account - $who

• Bob
• John - $id

- Superuser Account (UID = 0) - $last

• root
- $su -

- System Accounts (UID < 100 or Between 500 - 100)

• Ssh
• mail Rohit K Singh

- Service Accounts
• nginx
 User & Group Management:

Password Information:

cat /etc/shadow

SUDO:
Syntax: User <space> OnHost = (RunAs-User:Group) <space> Commands
visudo /etc/sudoers
Example: root ALL = (ALL:ALL) ALL
Rohit K Singh
User & Group Management:

Rohit K Singh
 User & Group Management:

-c Custom Comments
-d custom home directory
-e Expiry date
-g specific GID
-G Create user with multiple secondary group
-s specific login shells
-u specific UID
Rohit K Singh
File Permissions:

Changes owner to bob and group to

developer

Change just the owner of file to bob

Group unchanged

Change the group for the test-file to

the group called android

Rohit K Singh
 Package Managers:
Package management is a method of installing, updating, removing, and keeping track of software
updates from specific repositories (repos) in the Linux system

Rohit K Singh
 Package Managers:

YUM OR APT:
• YUM (Yellow Dog Updater, Modified) or DPKG is an open-source Linux package management application
that uses the RPM or DEB package manager
• YUM’s and DPKG benefits over RPM or DEB are automatic updates, easy package management Rohit K Singh
and dependency management
 Linux Editor:
VI & VIM Editor:  Edit file “vi file-name.txt”
 Read-Only “vi –R file-name.txt”

Sr No Command Description
1 k Moves the cursor up one line
2 j Moves the cursor down one line
3 h Moves the cursor to the left one character position
4 L Moves the cursor to the right one character position
5 i Inserts text before the current cursor location
6 I Inserts text at the beginning of the current line
7 a Inserts text after the current cursor location
8 A Inserts text at the end of the current line
9 o Creates a new line for text entry below the cursor location

10 O Creates a new line for text entry above the cursor location
Rohit K Singh

11 x Deletes the character under the cursor location

12 X Deletes the character before the cursor location

13 dw Deletes from the current cursor location to the next word

14 dd Deletes the line the cursor is on
AZURE CLOUD

Rohit K Singh
 Objectives:

Virtual Virtual Active

Machine Networking Directory

Key Vault /
Storage App Services / Rohit K Singh
Account Kubernetes
Services
 Cloud Concepts:
Software as a Service (SaaS)
SaaS platforms involve software that is available via third-party over the Internet
SaaS Examples - Google Workspace, Salesforce

Platform as a Service (PaaS)

PaaS focuses primarily on hardware and software tools available over the internet
PaaS Examples - AWS Elastic Beanstalk, Heroku

Infrastructure as a Service (IaaS)

IaaS works primarily with cloud-based and pay-as-you-go services such as storage,
IaaS networking and virtualization
Examples – AWS, Azure

On-Premises
On-premises software is installed and runs on computers on the premises of the person
On- or organization using the software, rather than at a remote facility such as a server farm oRr ochlio
t KuSd
in.gh
Prem Examples – Local Data Center
Shared Responsibility Model:

Rohit K Singh
Virtual Network:

Representation of cloud network Dedicated instance

Logical representation of your network in Every VNet instance in Azure is private
the cloud. Azure Virtual Networks (VNets) and dedicated
helps us to create and manage
networking in Azure
Rohit K Singh
Connectivity between Azure services
Hybrid scenarios
Virtual Network is responsible for
With the help of VNets, we can extend facilitating connectivity between Azure
our communication to on-premises Virtual Machines and other Azure services.
datacenters and other cloud providers Also, enables Azure VMs to connect to
securely Internet
AZURE VNET:
 Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure
 VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate
with each other, the internet, and on-premises networks

There are multiple services an Azure VNET provides:

 Communicate with on-premises resources
 Point-to-site virtual private network (VPN)
 Site-to-site VPN
 Azure ExpressRoute
 Communicate between Azure resources
 Through a virtual network
 Through a virtual network service endpoint
 Through VNet Peering
 Filter network traffic
 NSG/ASG
 NVA
 Route network traffic
 Route tables

Filter network traffic:

Filter network traffic between subnets using NSG/ASG or Network virtual appliances
Network Security Groups:

NSG’s can contain multiple inbound and outbound security rules that enable you to filter traffic to and from
resources by source and destination IP address, port, and protocol
 NSG can be attached to subnets, network cards or ASGs
 Various NSG properties:
 Name
 Priority
 Source & Destination
 Protocol
 Direction
 Port Range
 Action

Application Security Groups:

Application security groups enable you to configure network security, allowing you to group virtual machines and
define network security policies based on those groups

• ASGs can be set as Source or Destination in an NSG

• NSGs would still be required if the VMs are grouped together with ASGs
NSG’s:

Filter traffic
NSG operate at layer 4 and allows us to
filter the incoming and outgoing traffic
from a virtual network

Association
NSGs can be associated to subnets and
network interfaces. You can associate
multiple subnets and network interfaces
to a single NSG

Evaluation
Rules applied at subnet and network
interface level is evaluated separately.
Traffic requires “allow” rule at both levels
to be admitted

Rule set
NSG comprises a set of priority-based Rohit K Singh
rules that can be used to allow or deny
inbound or outbound traffic
NSG/ASG flow:

443
VM Sizes:

Rohit K Singh

Azure VM-Sizes
Azure Bastion:
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the
Azure portal, or via the native SSH or RDP client already installed on your local computer

Rohit K Singh
Azure Availability and Resiliency:

Availability Availability VM Scale Load

Zones Sets Sets Balancer

Azure
Azure Site
Storage Rohit K Singh
Recovery
Redundancy
What are Virtual Machine scale sets:

Azure compute helps to

provide High availability The Number of VMs can
and better performance to automatically increase or
your application by decrease in response to
creating & managing a demand or on a defined
group of identical, load- schedule
balanced VMs

Rohit K Singh
Supports up to 1000 VMs
with your own custom
images up to 600 VMs
Azure Load Balancer
Portal

Custom
Image

Azure VM Scale Set

Rohit K Singh
Storage Account:

Microsoft Azure’s storage solution for object storage, file storage, message queue and a NoSQL store
for meeting modern application requirements

High availability and durability Scalability and Managed

Storage account comes with different Azure Storage is a platform managed
redundancies to fulfill your durability service, depending upon the requirement
requirements. Data stored in the storage it will automatically scale the storage and
account can be replicated to different performance
datacenters and even across regions
ensuring high availability for the data
Access
Security HTTP or HTTPS can be used to access the
data that is stored in Azure Storage. With
By default, all data written to the storage the help SDKs provided by Microsoft,
account is encrypted by Storage developers can easily integrate Azure
Encryption Service. To access the data Storage with their code. Azure Storage
storage accounts, provide different also supports Azure PowerShell, Azure CLI
authorization methods such as storage and REST API Rohit K Singh
keys, shared access signature, and Azure
AD
Storage Services:

Azure Files
Azure Containers
Used to provision highly available file
deal for storing unstructured data such as
shares in cloud that can be mounted to
text or binary data
cloud and on-premises machines

Azure Tables Azure Queues

Ideal for storing structured non-relational Used to store messages and retrieve
data messages between application Rohit K Singh
components that needs to be processed
asynchronously
 Storage Replication:
Locally redundant storage (LRS)

Synchronously replicates data to three disks within a data center in the primary region.
LRS Offers a moderate level of availability at a lower cost

Zone-redundant storage (ZRS)

Synchronously replicates data among three Azure availability zones in the primary region.
ZRS Provides a higher level of resilience at higher cost

Geo-Redundant storage (GRS)

GRS Stores another three copies of data in a paired Azure region

Read-Access Geo-Redundant (RA-GRS)

RA-
Same as GRS, but allows data to be read from both Azure regions Rohit K Singh
GRS
AZURE ENDPOINTS

ROHIT K SINGH
Azure Private Link (Private Endpoint):

Private Endpoints allow you to access Azure PaaS services over a Private IP address within the VNet.
It gets a new private IP on your VNet. When you send traffic to PaaS resource, it will always ensure
traffic stays within your VNet

Azure Service Endpoint:

Service Endpoint provides secure and direct connectivity to Azure PaaS services over an optimized
route over the Azure backbone network. Traffic still left your VNet and hit the public endpoint of
the PaaS service
 Private endpoint

Azure Backbone Network

STATIC APPLICATION SECURITY TESTING {SAST}
SONARQUBE

Rohit K Singh
 SonarQube is an open-source platform developed by SonarSource for continuous
inspection of code quality to perform automatic reviews with static analysis of code.

Why?

• It helps in detecting areas in the code that needs refactoring or simplification

• It can help to find the bug early in the development cycle, which means less cost to fix them
• We can define project-specific rules which will then be implemented without manual intervention

What?

• Simply having visibility into code is not enough and in order to address the issues flagged by code
analysis, we need to make use of different data insights that we get from SonarQube

How?

Quality Gates
• Best way to ensure that standards are met and regulated in projects
• Can be defined as a set of threshold measures set on your project
Rohit K Singh
TALISMAN

Rohit K Singh
Pre-commit / Pre-push hooks:

• Sensitive information such as the access keys, access tokens, SSH keys etc. are often erroneously
leaked due to accidental git commits
• Pre-commit hooks can be installed on developer’s workstations to avoid them
• Work on pure Regex-based approach for filtering sensitive data
• If developers want they can bypass this step

Rohit K Singh
AWS Keys - Case Study
Talisman:
• Talisman installs a hook to your repository to ensure that potential secrets or sensitive information
do not leave the developer's workstation
• It validates the outgoing change for things that look suspicious like potential SSH keys,
authorization tokens, private keys, etc.

Global Installation:

Talisman will thus be present, not only in your existing git repositories, but also in any new repository
that you ‘init’ or ‘clone’
Pre-hooks:

Post-hooks:

Rohit K Singh
Single Project Installation Talisman works on pattern matching:
 Encoded Values
Talisman will be present only in a single git repository  File Content
 File Size
Pre-push hooks:  Entropy
 Credit Card Number
 File Name

Rohit K Singh
HELM

Rohit K Singh
• Helm charts are packages (like rpms) It contains pre-configured
Kubernetes resources such as
• ConfigMaps
• Deployments
• Services
• Helm is the package manager for Kubernetes (like yum) that allows easily
package, configure, and deploy applications onto Kubernetes clusters

Architecture:
Helm installs charts into Kubernetes, creating a new release for each installation. And to find new
charts, you can search Helm chart repositories.
• Repository is the place where charts can be collected and shared.
• Chart is a Helm package. It contains all of the resource definitions necessary to run an application on
Kubernetes Cluster
• Release is an instance of a chart running in a Kubernetes cluster

Installation:
• export VERIFY_CHECKSUM=false
• curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
• helm version Rohit K Singh
ISTIO

Rohit K Singh
Istio is an open framework for connecting, securing, managing and monitoring microservices

Istio can also handle more complex

Istio include, operational requirements,
1. discovery, 1. A/B testing,
2. load balancing, 2. canary releases,
3. failure recovery, 3. rate limiting,
4. metrics, 4. dark launches,
5. monitoring 5. access control,
6. end-to-end authentication

What makes Istio so unique is that all these functionalities come with NO CHANGE OF
CODE required.
Rohit K Singh
Architecture:

Rohit K Singh
MONITORING

Rohit K Singh
Kubernetes has the potential to simplify the process of deploying your application in containers and
across clouds, but in doing so, it leaves you blind as to,
• what is actually happening,
• what resources are being utilized

Rohit K Singh