DevOps: Development and Operation of SDLC
- Description
- Curriculum
- Reviews
In the rapidly evolving world of software development, Citadel Cloud Management has established itself as a leader by offering a sophisticated and comprehensive approach to both DevOps and DevSecOps. Their focus on integrating security seamlessly throughout the software development lifecycle (SDLC) is particularly noteworthy. Here’s an in-depth review of their methodologies and tools:
1. DevOps: A Collaborative Roadmap
Citadel Cloud Management excels in defining DevOps as a collaborative roadmap for the SDLC. Their approach bridges the traditional gap between development and operations teams, fostering an environment where these integral teams work in tandem to develop, implement, and monitor software applications. This collaborative model is pivotal in enhancing operational efficiency and accelerating the delivery of high-quality software. By emphasizing cooperation and shared goals, Citadel ensures that both teams contribute to and benefit from a streamlined development process.
2. CI/CD Pipeline: Six Stages of Excellence
Citadel’s detailed breakdown of the Continuous Integration/Continuous Deployment (CI/CD) pipeline into six stages—Code, Build, Store, Prep, Deploy, and Run—provides a clear and actionable framework for managing the development lifecycle. Each stage is meticulously designed to enhance both functionality and security:
– Code: The focus here is on secure coding practices from the outset. Citadel integrates tools that ensure regular updates and proactive protection of data and applications from Day 1, embedding security deeply within the development process.
– Build: This stage emphasizes secure containerization, where code is transformed into container images that include a core OS and application dependencies. By leveraging containerization tools that manage code securely and conduct runtime dependency scans, Citadel supports agile development without compromising on security.
– Store: Citadel addresses the risks associated with off-the-shelf technologies by advocating for continual vulnerability checks. Their use of VMware Tanzu and VMware Carbon Black Cloud Containerâ„¢ ensures that dependencies are securely pulled and scanned, effectively mitigating risks from third-party components.
– Prep: Prior to deployment, Citadel underscores the importance of validating application configurations against security policies. VMware Tanzu and Carbon Black Cloud Containerâ„¢ play a critical role in this stage, ensuring that configurations are compliant and secure, thus setting up the deployment phase for success.
– Deploy: This stage provides a comprehensive understanding of the application’s security posture through detailed scans and vulnerability assessments. Identifying and addressing issues before production is crucial for maintaining high security standards.
– Run: Ongoing monitoring and automation in this stage ensure continuous compliance and effective risk mitigation. Citadel’s approach helps manage any vulnerabilities that surface post-deployment, maintaining a robust security posture throughout the application’s lifecycle.
3. DevSecOps: A Holistic Integration of Security
Citadel Cloud Management distinguishes DevSecOps from traditional DevOps by highlighting its comprehensive integration of security practices throughout the SDLC. Key aspects include:
– Enhanced Application Security: DevSecOps integrates automated security tools within the CI/CD pipeline, allowing for continuous testing and security audits. This proactive approach ensures vulnerabilities are promptly addressed without disrupting development cycles.
– Cross-Team Ownership: By promoting collaboration between development, security, and operations teams from the start, DevSecOps fosters a unified approach that enhances alignment and efficiency. This cross-team integration helps in building a cohesive security strategy that supports rapid and secure development.
– Streamlined Application Delivery: Security measures embedded early in the lifecycle and automated processes prevent delays caused by late-stage vulnerabilities. This integration supports fast and efficient development cycles, ensuring timely application delivery.
– Limiting Security Vulnerabilities: Automation and pre-built scanning solutions are leveraged to minimize vulnerabilities and accelerate remediation. This approach aligns with agile development practices, reducing risks and enhancing security.
4. VMware’s DevSecOps Implementation
Citadel’s use of VMware tools for DevSecOps is a standout feature. By facilitating ongoing collaboration between development, release management, and security teams, VMware’s solutions effectively enhance security and streamline the CI/CD pipeline. This comprehensive security stack provides a robust foundation for managing the SDLC securely and efficiently.
5. Infrastructure and Tools
Citadel Cloud Management’s integration of key tools and technologies—such as Terraform for infrastructure as code, Jenkins for CI/CD pipelines, Docker and Kubernetes for containerization, and Prometheus and Grafana for monitoring—demonstrates a commitment to a seamless and secure development environment. These tools collectively support modern, agile practices and ensure a resilient infrastructure.
Overall Review
Citadel Cloud Management offers a well-structured and effective approach to DevOps and DevSecOps. Their focus on secure coding practices, containerization, vulnerability management, and cross-team collaboration provides a robust framework for managing the SDLC. The integration of security throughout the CI/CD pipeline and the use of advanced tools ensure a more secure and efficient development process. For organizations aiming to enhance their DevOps practices with a strong security focus, Citadel Cloud Management delivers valuable insights and solutions that are essential for achieving modern development goals.
-
1
DevOps Process and Roadmap -
2
Introduction and Requirements1. If you are using windows laptop, Install GIT client on your laptop by downloading from2. You need to have an AWS account setup already.3. Create an account in GitHub or BitBucket4. Learn Agile/DevOps5. Additionally, we can download Visual Studio Code.
-
3
GitHub Actions, Integrations, Extensions and Webhooks
GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline. You can create workflows that build and test every pull request to your repository, or deploy merged pull requests to production. https://docs.github.com/en/actions/quickstart
-
4
Bitbucket Jenkins Integration
-
5
Launching EC2 Server, Java, Jenkins, Maven and Tomcat Setup to connect to AWS Cloud
- Install Java 11
- Jenkins Setup:
- Install Jenkins
- Access Jenkins in web browser
- Create another EC2 instance for installing Tomcat and make sure you open port 8080 as well
- Tomcat Installation: Install Tomcat 9 on Ubuntu server | Setup Tomcat 9 on Ubuntu in AWS EC2
-
6
Create Java Web App using Maven and setup in GitHub/Bitbucket repositorySTEP 1: Create private repository in GitHubSTEP 2: Step # 2 Create SSH keys from your Jenkins EC2 machineSTEP 3: Upload SSH Keys in GitHubSTEP 4: Clone Repo locallyStep 5 - Create Java Web App using MavenStep 6 - Push Java Web App using Git commands into GitHub
-
7
How to configure webhooks in GitHub and trigger jobs in JenkinsLet’s see how to add build a webhook in GitHub and then add this webhook in Jenkins.STEPS:-Go to your project repository.-Go to "settings" in the right corner.-Click on "webhooks."-Click "Add webhooks."-You need to enter Jenkins URL & add /github-webhook/ in the end
-
8
Project build in Jenkins to automate Java build in Tomcat deploy of a WAR file
- Java Project is setup in GitHub or your SCM
- Jenkins is up and running on your EC2 Instance with port 8080 opened
- Tomcat is up and running with firewall port opened
- Configure maven installation under Jenkins--> manage Jenkins-> Global Tool Configuration. Under maven installation. enter Maven3 or pick 'latest' as name, enter path of maven installation --> /usr/share/maven and uncheck install automatically option.- Also install deploy to container, Jacoco plugins under Jenkins --> Manage Jenkins --> Manage plug-ins
-
9
Setup SonarQube 7.7 and Integrate with Jenkins Pipeline
SonarQube, also known as Sonar, is an open-source tool for continuous code quality that measures and analyzes the source code. It is built in Java, but capable of analyzing code in 20 diverse languages. SonarQube that not only checks the code and highlights the issues, but also tracks and monitors the code continuously and ensures flawless code integration as well as deployment. It can display the result of the analysis in a visually appealing way using nice charts, ‘green & red lights’, and issues list. it tries to detect bugs, code smells and security vulnerabilities. Many plugins are available to use it as part of continuous integration pipelines, including for Maven, Jenkins and GitHub.
-
10
How to enable SonarQube Scanner for PL/SQL files? - Code quality check for SQL files using SonarQube - Scan sql code using Sonar
How to enable open source plug-in for SonarQube.
-
11
Setup SonaType Nexus 3 on RedHat Linux in EC2
Create a new Redhat EC2 instance with small type. Choose Redhat Enterprise 8.
-
12
Jenkins Nexus Integration - How to integrate Sonatype Nexus with Jenkins
How to install Nexus Artifact Uploader plug-in to integrate Nexus with Jenkins.
-
13
Installing and Setup JFrog Artifactory on Ubuntu 20.04 from the Debian packages or using Docker container images
JFrog Artifactory is the single solution for housing and managing all the artifacts, binaries, packages, files, containers, and components for use throughout your software supply chain.
-
14
Trigger Jenkins build Jobs from Slack Channel
Install Instructions for Slack
- Get a Slack account: https://slack.com/
- Configure the Jenkins integration -
15
Create Scripted Pipeline in Jenkins for Automating Builds, Deployment and Code quality checks
- What is the Scripted Pipeline in Jenkins?
- How to Create Your Jenkins Scripted Pipeline
- Creating Your Jenkins Pipeline Script
- The Jenkinsfile
- Jenkins Scripted Pipeline Security -
16
Jenkins Scripted Pipeline
- Steps to Create Scripted Pipeline in Jenkins
- Pipeline Code
-
17
Jenkins Declarative Pipeline
Jenkins declarative pipelines provide a simplified and more friendly syntax with specific statements for defining them, without needing to learn Groovy. Declarative pipelines in Sourcecode help for automatic triggers and also used as rollback strategy and disaster recovery. See: https://www.blazemeter.com/blog/jenkins-declarative-pipeline
1. Project setup in GitHub or Source Code Management
2. Jenkins and Tomcat (web container) is set up.
3. Maven is installed in Jenkins
4. Sonarqube setup and integrated with Jenkins
5. Nexus configured and integrated with Jenkins
6. Slack channel configured an integrated with Jenkins for notification -
18
Jenkins Master-Slave Architecture
Jenkins master comes with the basic installation of Jenkins, and in this configuration, the master handles all the tasks for your build system. If you are working on multiple projects you may run multiple jobs on each and every project. Some projects need to run on some particular nodes, and in this process, we need to configure slaves.
The Jenkins master acts to schedule the jobs and assign slaves and send builds to slaves to execute the jobs.
It will also monitor the slave state (offline or online) and getting back the build result responses from slaves and the display build results on the console output. The workload of building jobs is delegated to multiple slaves.
-
19
Jenkins End to End Build-Release (CI/CD) Pipeline for MyWeb and Other DevOps Tools Integration
Several companies already have Jenkins server setup, let us create Jenkins project, clone repository, build the CICD and deploy accordingly using Webhook trigger to slack channel
-
20
Provisioning EC2 instance on AWS Cloud using Terraform
Install AWS CLI - AWS CLI Installation Steps on Windows
-
21
Setup SonarQube instance using Terraform
Executing the below command after login to EC2 where you installed Terraform.
-
22
How to Install Java, Maven and Jenkins during bootstrap up in EC2(AWS)
Bootstrapping in AWS simply means to add commands or scripts to AWS EC2’s instance User Data section that can be executed when the instance starts. It is a good automation practice to adopt to ease configuration tasks.
-
23
Suricata VM Installation and Setup on Ubuntu 20.04
Suricata VM Installation and Setup on Ubuntu 20.04
-
24
Create a CI/CD pipeline for GitHub repo using Azure DevOps
Azure DevOps supports a collaborative culture and set of processes that bring together developers, project managers, and contributors to develop software.
-
25
Ansible Setup, Configuration, Deployment and Playbooks
Ansible is a radically simple IT automation system. It handles configuration management, application deployment, cloud provisioning, ad-hoc task execution, network automation, and multi-node orchestration. Ansible makes complex changes like zero-downtime rolling updates with load balancers easy. More information on the Ansible website.
-
26
PUPPET Overview and Installation
Puppet is a tool that helps you manage and automate the configuration of servers.
-
27
LAMP STACK Overview, LAMP on Ubuntu server, LAMP on Puppet Installation
LAMP stands for Linux, Apache, MySQL, and PHP. Together, they provide a proven set of software for delivering high-performance web applications. Each component contributes essential capabilities to the stack:
-
28
MERN Stack overview, Installation on Ubuntu, Deploy a MERN Stack in Azure
MERN stands for MongoDB, Express, React, and Node is a collection of four major technologies used for the deployment of full-stack web applications. React is used for the front-end, Node and Express are for the backend, and MongoDB is used as a database backend. In the MERN stack, all technologies support the same language for both the front-end and back-end. Each of these technologies provides an end-to-end framework for developing modern and scalable web applications.
-
29
Docker Engine overview, Installation, Storage, Container Logs, Configuring the daemon, Networking, Logging and Security
Docker Engine is an open source containerization technology for building and containerizing your applications.
-
30
Docker on AWS: Setup Elastic Container Registry (ECR)
Amazon ECR uses Amazon S3 for storage to make your container images highly available and accessible, allowing you to reliably deploy new containers for your applications.
-
31
Docker using Jenkins: Docker images CICD build using Jenkins
Jenkins is an automation server often used to build and deploy applications. We’ll be cloning our code repository, build image, test image and publish image using Jenkins Pipeline.
-
32
Docker Image into Nexus Registry, Configuration, Installation and Uploads
How to configure Nexus 3 as Docker Private Registry
-
33
Kubernetes Overview, Setup on Ubuntu AWS using Kubeadm
Kubernetes is an open source container orchestration engine for automating deployment, scaling, and management of containerized applications. Kubernetes is a portable, extensible, open source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. Kubernetes is an open source container platform that eliminates many of the manual processes involved in deploying and scaling containerized applications.
-
34
Deploying Prometheus, Grafana and Helm in Kubernetes
-
35
Grafana Cloud and Prometheus
Grafana Cloud is a highly available, an open source visualization and analytics tool fast, fully-managed OpenSaaS logging, metrics, traces, and profiling platform that also provides incident management and our application monitoring service.
-
36
Terraform (Overview and Tutorials)
Configuration management is a systems engineering process for establishing consistency of a product’s attributes throughout its life. A Configuration management system allows the enterprise to define settings in a consistent manner, then to build and maintain them according to the established baselines. A configuration management plan should include a number of tools that:
-
37
Terraform Setup and AWS CLI, IAM, EC2 and S3
Terraform is an adequate tool meant for changing, versioning, or building a complete infrastructure by keeping in mind efficiency and safety. It has the potential to manage all the popular service providers and in-house solutions efficiently.
-
38
Terraform Setup with Storage
-
39
Terraform Setup with Identity, Security and Access Management
-
40
Terraform Setup with Computes
-
41
Azure DevOps(Board, Repos, Pipelines, Test Plans and Artifacts)
Azure DevOps provides integrated features that you can access through your web browser or IDE client. You can use all the services included with Azure DevOps, or choose just what you need to complement your existing workflows. Azure DevOps supports a collaborative culture and set of processes that bring together developers, project managers, and contributors to develop software. It allows organizations to create and improve products at a faster pace than they can with traditional software development approaches.
-
42
Azure WebApp Creation and deployments
Azure Web Apps provides an extensive platform to build an app in Azure without having to deploy, configure and maintain your own Azure virtual machines. We can build any web app using different languages such as ASP.NET, PHP, Node.js, and Python. Web Apps can host a User Interactive application or even a backend service like a WCF Service or Web APIs. With Web Apps, we can leverage the power of Microsoft Azure and build a multi-functional, immensely scalable, highly secured, and seamlessly accessible internet or intranet-based applications. We can also build our applications on-premise and migrate them to Azure Web Apps.
-
43
Azure Kubernetes Services Cluster
Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. When you create an AKS cluster, a control plane is automatically created and configured. This control plane is provided at no cost as a managed Azure resource abstracted from the user. You only pay for and manage the nodes attached to the AKS cluster.
-
44
Azure DevOps Pipelines with AWS Resources Integration
Cloud Workloads are becoming increasingly hybridized over time. Some companies do not want to be tied to a single cloud provider for cost, feature set, or disaster recovery, but many times the reasons for hybrid cloud workloads is simply logistical.
-
45
Vulnerability Scanning and Assets Explained
-
46
Qualys Security
Qualys Agent Application Support
- Vulnerability Management (VM)
- Continuous Monitoring(CM)
- Threat Protection (TP)
- Global Asset View (GAV) or Cyber Security Asset Management (CSAM)
- Policy Compliance
- Security Configuration Assessment (SCA)
- File Integration Monitoring (FIM)
- Endpoint Detection and Response (EDR)
- Extended Detection and Response (XDR)
- Custom Assessment and Remediation (CAR)
- Patch Management (PM)
Agents as Data Collectors
- Cloud Agent serves as a 'data collector' (keeping host's resource usage extremely low) -- collected data and metadata is sent to the Qualys Cloud Platform for testing
- Cloud Agent provides the 'response' functionality for many Qualys applications
- Qualys application modules provides their own 'manifest' identifying data to be collected
- Agent data is uploaded to the Qualys Platform for assessment, analysis, correlation, reporting and alerting
-
47
Crowdstrike Security
-
48
Rapid7 Insight Cloud Security
-
49
Intruder Cloud Security
-
50
Aqua Cloud Security
-
51
Splunk Cloud Security
-
52
Prisma Cloud Security
-
55
Serverless Overview
Serverless Cloud lets you build scalable, highly-secure, pay-per-use applications without needing a deep knowledge of cloud services. We reduce all of this complexity by interpreting your code and automatically provisioning the best possible infrastructure to support it.
-
56
Serverless with AWS Lambda
AWS Lambda is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. These events may include changes in state or an update, such as a user placing an item in a shopping cart on an ecommerce website.
-
57
Creating a Step Functions State Machine That Uses Lambda on AWS
Invoke AWS Lambda Function with AWS Step Function
Create a Lambda Function
Test the Lambda Function
Create a State Machine
Start a New Execution
-
58
Serverless with Microsoft Azure
Serverless computing enables developers to build applications faster by eliminating the need for them to manage infrastructure. With serverless applications, the cloud service provider automatically provisions, scales, and manages the infrastructure required to run the code.
-
59
Serverless with Google Cloud Platform
Google Cloud Serverless provides the fastest path to cloud native applications, bringing speed and scalability without worrying about managing infrastructure: Google Serverless Overview Concept
