Foregenix Blog

Andrew McKenna

An Introduction to DevOps

,06/09/17 09:54

We’ll start at the beginning and ramp up really quickly. DevOps is a portmanteau of development and operations. We can consider it to mean automation of platform operations, or scripted operations. 

Wikipedia has the following definition:

"DevOps (a clipped compound of "development" and "operations") is a software delivery process that emphasizes communication and collaboration from concept to market, including product management, software development, and operations professionals. 

DevOps also automates the process of software integration, testing, deployment and infrastructure changes. It aims to establish a culture and environment where building, testing, and releasing software can happen rapidly, frequently, and more reliably."

1280px-Devops-toolchain.svg.pngImage courtesy of Kharnagy under CC 4.0. 


Typically, in a Windows environment, once there's about 5 systems, a Domain Controller will be employed to automate and manage certain tasks. However, in Linux environments, we often find environments of 20 systems or more managed individually. This demands much more overhead, so DevOps automation or environment orchestration makes a lot of sense.

The tools usually used for this type of automation are Ansible, Chef, Puppet, or Salt as well as the recent introduction in Microsoft Windows 2016 of Desired State Configuration (DSC).

Cloud service providers also have various flavours of the above. In AWS it's called OpsWorks, and is based on Chef. Azure has various DevOps tools but the core is based on Ansible, Google Cloud Platform has Consul.


Now what does this mean from an operational and security perspective?

Operationally, it means we can configure profiles for different system types and automate the configuration of those systems according to their functions. One can create a server, allocate a web server profile and the orchestration manager updates and hardens the system, installs required software, configures the system accordingly, and finally deploys the server with little to no manual intervention.

Here's an example of a Chef recipe so you can see how it works. This simple recipe checks to see if Apache is installed and, if the package doesn't exist, it installs it, enables and runs the service:


#Install & Enable Apache

package "apache2" do

action :install


service "apache2" do

action [:enable, :start]



We can build security into the templates used by the orchestration system such that security baselines are automatically implemented on all systems. For this to be successful, we need to ensure the people scripting the templates understand the security requirements and can translate these into configurations. We also need to ensure changes to these templates are monitored; a mistake could render all systems of a given profile insecure, or worse, a malicious actor could automate the deployment of malware.

In considering the recommendations below, it's clear we're looking at a scripting tool which goes through various iterations and versions and can be quite powerful. It's worth mentioning that managing the process is similar to a software development lifecycle (consider that develop is the first part of DevOps).

Anyone looking to deploy DevOps software should consider employing version control and rules which ensure functionality is developed and scripts are reviewed and approved by appropriate parties prior to their implementation into production. Adequate testing outside development should also be performed prior to deployment.

 At a minimum a successful DevOps deployment needs the following:

  • Strong access controls restricting access to authorised users only
  • Individuals writing templates that are knowledgeable about security
  • Changes to templates are approved via change control
  • Changes to templates are subject to peer review and testing
  • Integrity checking on the template files to identify out-of-band changes
  • A version control system

Many non-cloud environments will already use tools for configuration automation. The auto-deployment and scaling functionality provided by cloud platforms mandates greater automation of assurance as misconfigurations are also scalable and expensive.



Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More
Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More

Cyber Security Insights

Richard Jones
14/02/18 11:14

Foregenix Partner With Ground Labs To Strengthen GDPR Services

The clock is ticking and we are swiftly moving toward the GDPR deadline, with organisations of all shapes and sizes preparing themselves for the new ...

Read More

Jake Dennys
12/02/18 15:18

5 Steps To Make Your Travel Agency PCI Compliant

PCI compliance is no easy feat, it can be a challenge to obtain, but results in lasting consumer trust and peace of mind knowing their data is ...

Read More

Kirsty Trainer
07/02/18 12:34

Foregenix expands into Brazil with new São Paulo office

After an exciting growth period in 2017, we were able to officially launch Foregenix in Australia, extending our service delivery into the land down ...

Read More

Jake Dennys
06/02/18 09:30

Foregenix aim to help travel agents meet IATA accreditation deadline

Travel agents are in a  race against time to meet IATA’s deadline for PCI DSS compliance. They've been given the deadline of March 2018 to become PCI ...

Read More

Benjamin Hosack
05/02/18 13:45

Foregenix expands APAC presence with Dan Ball, Territory Manager. 

Foregenix has further expanded their APAC presence with the addition of Dan Ball to the team as a Territory Manager in Australia, with ...

Read More