DevSecOps As A Platform

# DevSecOps As A Platform

Thomas Foulds

May 31, 2024

---

## Agenda

1. Why Build A Platform?
2. What Is In The Toolbox?
3. How Do We Package It?
4. Can It Scale?
5. What Are The Challenges?
6. Where Are We Now?
6. Q&A

---

## Why Build A Platform?

Effective DevSecOps in secure environments requires secure tools for efficient delivery.

===

## Great, But Really Now?

* TapHere works for many security-conscious clients.
* The DevSecOps lifecycle requires a distinct toolset.
  * Target environments often lack required tools.
  * Adding tools ad-hoc is difficult in secure environments.
* Current business demonstrates need for common, secure toolset.

===

## Ok, So What Is The Solution?

* Package required toolset into a single virtualized appliance.
* Bundle industry standard tools in a secure-by-default deployment.
* Generate documentation to aide client security officers in the onboarding
  process.

===

## Benefits Of This Approach

* A common distribution aids standardization and adoption.
* Polished UI helps onboard new developers and operations staff.
* Tools are scalable across environment sizes.

---

## What Is In The Toolbox?

===

![The Toolbox](toolbox-diagram.svg)

===

## What Are Our Preconditions?

* Basic network services
  * Routing/Switching
  * DHCP
  * DNS
* Virtualization hosting

===

## Core Capabilities

* Secret Management
* Identity and Access Management
* Version Control

Note:
* Vault is common across the industry and interoperates with a lot of different
  systems.
* Start small with IdAM which has federating capabilities. That way Keycloak
  provides SSO for the environment from Day 1 and can be additionally integrated
  with existing or newly deployed IdAM solutions (AD, IPA, etc) as needed.
* Git is helpful for both development and operations as environment
  configuration can be versioned just like application code.

===

## Automation Enablers

* Infrastructure Provisioning
* Configuration as Code
* Kubernetes Packaging
* CI/CD Automation

Note:
* A standardized Terraform API focused on least common denominators across
  hosting platforms lets us get more milage out of our core tools.
* Standardize on Ansible since it's what a lot of our industry is using and the
  government seems to be buying.
* While tools like Zarf are cool, Helm is still the de facto standard for K8s
  packaging. Our challenge will be getting container resources bundled for
  distribution.
* Nobody loves Jenkins but it's solid "boring" technology which is flexible to
  many different scenarios. The Jenkins Configuration as Code module also makes
  setting it up in a "DevOps" style much easier than before.

===

## Compliance and Security

* Testing and Compliance
* Automated Security
* Policy as Code
* Monitoring

Note:
* Lightweight scanners like OpenSCAP and Trivy help make security a built-in
  part of the development process instead of something bolted on at the end.
* Part of the scaffolding and framework development we will need to do is
  creating application templates which guide developers towards secure-by-default
  deployments.
* Tools like OPA Gateway make sure that when we deploy things to Kubernetes
  they are compliant and configured the way we expect.
* Start with the monitoring basics for things like Prometheus and Grafana, then
  move into higher weight tools like the ELK stack.

---

## How Do We Package It?

===

![Kubernetes Logo](k8s-logo.svg)

===

## But Kubernetes Is A Pain!

* Adds new complexity to deployment.
* Operations staff may be unfamiliar with administration.
* Not all client software is containerized.

===

## All True, However

* Enables easier decoupling of modular services.
* Kubernetes expertise is a frequently requested skill by clients.
* Platform provides an escape hatch for traditional workloads.

---

## Can It Scale?

YES!

===

## Start Small

* A single appliance with limited resource footprint.
* Provides all core services without blowing the hosting budget.

===

## Make Scaling Incremental

* "Break off" services from the appliance when they are outgrown.
* Provide automation to manage migration and "production" deployment.

===

## Provide Options

* Some clients may prefer scaling Kubernetes.
* Others may prefer more traditional VM deployments.
* Additional services can be provided as pluggable add-ons.

===

## Enable Customization

* **The modules provided do not need to be everything to everyone.**
* Provide cross platform Terraform API for VM workloads.
* Package deployment and migration automation in standardized Ansible Collections.

---

## What Are The Challenges?

* System security requirements are only getting more strict.
* Full-disk encryption requirements
* Zero trust networking

Note:
* Writing secure FAPolicyD and SELinux rules for new software is a non-trivial
  undertaking.
* RHEL9 STIG requires all disks be encrypted at rest LUKS volumes. Rebooting
  an environment without some automatic way to decrypt the drives at boot
  becomes an administrative nightmare.
* Defending the perimeter is no longer enough, trust needs to be established
  not just north-south but also east-west. Encrypted service meshes are one
  solution to some of these problems.

---

## Where Are We Now?

* RHEL 9.4 image with DISA STIG automation applied.
* RKE2 single node cluster with CIS hardening profile applied.
* Vault deployed and integrated as Kubernetes secret store.
* Keycloak in work to provide OIDC integration to Kubernetes, Vault, and other
  services.

---

## Questions?

---

## Thanks For Coming!