DevOps & SecOps Support for Insurance Project

Project details

Problem

1. The client was setting up a brand new DevOps team, whose tasks would include configuring CI/CD processes, configuring runtime environments, configuring applications within different environments (from development to production), supporting the developers’ work with bugs from the application side as well as the infrastructure side. Due to his lack of teams in the past, this was a new experience for them.
2. The project for which the services were provided required a new approach from the security side. As part of the CI/CD processes, a Static Application Security Testing (Sonarqube) solution had to be implemented, which, once the appropriate configuration was implemented, did not pass applications with a significant number of bugs, lack of adequate test coverage and outdated and vulnerable dependency versions. An additional requirement was regular security scans, with an emphasis on scans of container images. Images showing vulnerabilities above 7 CVE points should not be allowed to be deployed to higher environments.
3. The DevOps team was also responsible for configuring performance testing, which involved working with the testing team. The team prepared and implemented a customized configuration for the tests, written by the testers.
4. Another task for the team is to carry out internal security tests, which will be carried out using automated security scanners.
5. Performing deployments to production and pre-stage environments.
6. Preparing the configuration of new environments.
7. Preparing automatic deployment for development environments.

Solution proposal

   CI/CD processes are to be implemented using the GitLab CI tool. The runtime platform for the application is Kubernetes, which is a container orchestrator. The solution under which the environment is delivered is a private cloud, based on Openshift. The solution also includes a security scanner, Advanced Cluster Security for Kubernetes. The partitioning into environments is done by using a separate repository within GitLab, within which the partitioning into so-called overlays is used, as a result of the use of kustomise. The whole process of deployment to an environment is automated through the use of the GitOps approach, using the Argo CD tool. Security testing is performed using tools such as Nikto, Burp Suite.

Project Execution

Below is a list of the tasks performed.

1. • Configuration of CI/CD processes.
   • Configuration of the Static Application Security Testing tool.
   • Configuration of application repositories, including preparation of deployment repositories for these applications (for the GitOps methodology).
   • Performing deployments to production and pre-stage environments.
   • Configuring automatic deployments to development environments.
   • Performing configuration of new environments.
   • Supporting the testing team during performance testing. In particular, preparing the automatic launch of Jmeter, based on given parameters, agreed with the team in question.
   • Carrying out internal security tests.

Steps

• Preparation of ready-made CI/CD process definitions, located in a separate repository, which, in the case of multiple application repositories, facilitates the management of CI/CD definitions.
• Configuration of the SAST tool, for micro frontend and backend applications.
• Configuration of automatic deployments to development environments.
• Configuration of the runtime environment, for performance testing.

     Tasks are carried out with the utmost care, which is indicative of further cooperation between the company and the client. Many tasks are performed periodically, such as performance tests and configuration of repositories for new applications. Deployments to production and pre-stage environments take place weekly if there is no development period.