Foregenix Blog

Andrew McKenna

An Introduction to DevOps

,06/09/17 09:54

We’ll start at the beginning and ramp up really quickly. DevOps is a portmanteau of development and operations. We can consider it to mean automation of platform operations, or scripted operations. 

Wikipedia has the following definition:

"DevOps (a clipped compound of "development" and "operations") is a software delivery process that emphasizes communication and collaboration from concept to market, including product management, software development, and operations professionals. 

DevOps also automates the process of software integration, testing, deployment and infrastructure changes. It aims to establish a culture and environment where building, testing, and releasing software can happen rapidly, frequently, and more reliably."

1280px-Devops-toolchain.svg.pngImage courtesy of Kharnagy under CC 4.0. 


Typically, in a Windows environment, once there's about 5 systems, a Domain Controller will be employed to automate and manage certain tasks. However, in Linux environments, we often find environments of 20 systems or more managed individually. This demands much more overhead, so DevOps automation or environment orchestration makes a lot of sense.

The tools usually used for this type of automation are Ansible, Chef, Puppet, or Salt as well as the recent introduction in Microsoft Windows 2016 of Desired State Configuration (DSC).

Cloud service providers also have various flavours of the above. In AWS it's called OpsWorks, and is based on Chef. Azure has various DevOps tools but the core is based on Ansible, Google Cloud Platform has Consul.


Now what does this mean from an operational and security perspective?

Operationally, it means we can configure profiles for different system types and automate the configuration of those systems according to their functions. One can create a server, allocate a web server profile and the orchestration manager updates and hardens the system, installs required software, configures the system accordingly, and finally deploys the server with little to no manual intervention.

Here's an example of a Chef recipe so you can see how it works. This simple recipe checks to see if Apache is installed and, if the package doesn't exist, it installs it, enables and runs the service:


#Install & Enable Apache

package "apache2" do

action :install


service "apache2" do

action [:enable, :start]



We can build security into the templates used by the orchestration system such that security baselines are automatically implemented on all systems. For this to be successful, we need to ensure the people scripting the templates understand the security requirements and can translate these into configurations. We also need to ensure changes to these templates are monitored; a mistake could render all systems of a given profile insecure, or worse, a malicious actor could automate the deployment of malware.

In considering the recommendations below, it's clear we're looking at a scripting tool which goes through various iterations and versions and can be quite powerful. It's worth mentioning that managing the process is similar to a software development lifecycle (consider that develop is the first part of DevOps).

Anyone looking to deploy DevOps software should consider employing version control and rules which ensure functionality is developed and scripts are reviewed and approved by appropriate parties prior to their implementation into production. Adequate testing outside development should also be performed prior to deployment.

 At a minimum a successful DevOps deployment needs the following:

  • Strong access controls restricting access to authorised users only
  • Individuals writing templates that are knowledgeable about security
  • Changes to templates are approved via change control
  • Changes to templates are subject to peer review and testing
  • Integrity checking on the template files to identify out-of-band changes
  • A version control system

Many non-cloud environments will already use tools for configuration automation. The auto-deployment and scaling functionality provided by cloud platforms mandates greater automation of assurance as misconfigurations are also scalable and expensive.



Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More
Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More

Cyber Security Insights

Richard Jones
17/11/17 09:39

Successfully implementing GDPR: Compliance and Awareness

The General Data Protection Requirement (GDPR) is essentially about privacy. It relies on cyber security controls to ensure that legitimately used ...

Read More

Richard Jones
02/11/17 10:33

GDPR – Keeping things simple.

  Type GDPR into Google and you will get just shy of 6 million results. Factor in the complexity of each and every article and it’s easy to see why ...

Read More

Richard Jones
31/10/17 10:27

Data Discovery: The only place to start with GDPR

To those new to GDPR, it may appear like a complex task for which there are so many actions it’s almost impossible to know where to start. I would ...

Read More

Kirsty Trainer
26/10/17 15:02

Improving Cybersecurity in the Contact Center: How to Reduce the Risk of a Breach  [Webinar]

  The negative impact of a data breach has wide reaching consequences, it’s not something that can be solved with a “Sorry” and a slap on the wrist. ...

Read More

Richard Jones
25/10/17 16:52

Five reasons why GDPR isn’t all about fines.

  Most conversations about GDPR gravitate towards the subject of fines. There are two camps; those who contend they’re a hollow threat and those who ...

Read More