Guided Website Threat Review

Foregenix Blog

Andrew McKenna

An Introduction to DevOps

,06/09/17 09:54

We’ll start at the beginning and ramp up really quickly. DevOps is a portmanteau of development and operations. We can consider it to mean automation of platform operations, or scripted operations. 

Wikipedia has the following definition:

"DevOps (a clipped compound of "development" and "operations") is a software delivery process that emphasizes communication and collaboration from concept to market, including product management, software development, and operations professionals. 

DevOps also automates the process of software integration, testing, deployment and infrastructure changes. It aims to establish a culture and environment where building, testing, and releasing software can happen rapidly, frequently, and more reliably."

1280px-Devops-toolchain.svg.pngImage courtesy of Kharnagy under CC 4.0. 


Typically, in a Windows environment, once there's about 5 systems, a Domain Controller will be employed to automate and manage certain tasks. However, in Linux environments, we often find environments of 20 systems or more managed individually. This demands much more overhead, so DevOps automation or environment orchestration makes a lot of sense.

The tools usually used for this type of automation are Ansible, Chef, Puppet, or Salt as well as the recent introduction in Microsoft Windows 2016 of Desired State Configuration (DSC).

Cloud service providers also have various flavours of the above. In AWS it's called OpsWorks, and is based on Chef. Azure has various DevOps tools but the core is based on Ansible, Google Cloud Platform has Consul.


Now what does this mean from an operational and security perspective?

Operationally, it means we can configure profiles for different system types and automate the configuration of those systems according to their functions. One can create a server, allocate a web server profile and the orchestration manager updates and hardens the system, installs required software, configures the system accordingly, and finally deploys the server with little to no manual intervention.

Here's an example of a Chef recipe so you can see how it works. This simple recipe checks to see if Apache is installed and, if the package doesn't exist, it installs it, enables and runs the service:


#Install & Enable Apache

package "apache2" do

action :install


service "apache2" do

action [:enable, :start]



We can build security into the templates used by the orchestration system such that security baselines are automatically implemented on all systems. For this to be successful, we need to ensure the people scripting the templates understand the security requirements and can translate these into configurations. We also need to ensure changes to these templates are monitored; a mistake could render all systems of a given profile insecure, or worse, a malicious actor could automate the deployment of malware.

In considering the recommendations below, it's clear we're looking at a scripting tool which goes through various iterations and versions and can be quite powerful. It's worth mentioning that managing the process is similar to a software development lifecycle (consider that develop is the first part of DevOps).

Anyone looking to deploy DevOps software should consider employing version control and rules which ensure functionality is developed and scripts are reviewed and approved by appropriate parties prior to their implementation into production. Adequate testing outside development should also be performed prior to deployment.

 At a minimum a successful DevOps deployment needs the following:

  • Strong access controls restricting access to authorised users only
  • Individuals writing templates that are knowledgeable about security
  • Changes to templates are approved via change control
  • Changes to templates are subject to peer review and testing
  • Integrity checking on the template files to identify out-of-band changes
  • A version control system

Many non-cloud environments will already use tools for configuration automation. The auto-deployment and scaling functionality provided by cloud platforms mandates greater automation of assurance as misconfigurations are also scalable and expensive.



Kirsty Trainer
The "Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More
Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More

Cyber Security Insights

Andrew McKenna
14/09/17 11:50

Containers: Keeping You Secure

Given there’s a lot of talk about containerisation in the applications marketplace at the moment, this post is intended to provide a light ...

Read More

Jake Dennys
11/09/17 13:04

Foregenix Achieve 11 Award Nominations in 6 Months

As a UK-based cybersecurity firm, our employees and clients touch every continent on the globe. Despite the company’s small size, with only 91 ...

Read More

Zacharias Pigadas
08/09/17 15:45

Getting The Most Out Of Your Web Application Penetration Test

The purpose of this post is to help clients better prepare, digest and act upon the results of a web application penetration test. A large amount of ...

Read More

Andrew McKenna
06/09/17 09:54

An Introduction to DevOps

We’ll start at the beginning and ramp up really quickly. DevOps is a portmanteau of development and operations. We can consider it to mean automation ...

Read More

Ewan Gardner
07/08/17 14:51

Anatomy Of A Magento Attack: Froghopper

  Magento is the most popular eCommerce web application in the world, with an estimated 236,000 live web sites using the Content Management System ...

Read More