By Anand V, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.
In this article, we will explore the concept of DevSecOps and discuss how we can apply its principles by building an e-commerce application on Alibaba Cloud. Gartner predicts that,
"By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017."
In recent years, we can see a shift in the maturity model of software development life cycle (SDLC) from Waterfall to Agile, and a massive culture shift to DevOps. Continuous integration, continuous deployment, and continuous delivery are now necessary for software development. One major aspect that many developers tend to ignore in DevOps is security. Integrating security at every stage of DevOps lifecycles is an essential element to DevSecOps.
DevSecOps is a software development concept or mindset that aims at unifying development, operations, and security as a single process in SDLC. In simple terms, DevSecOps is very much like DevOps but with an added emphasis on security. In the process of implementing DevSecOps, there is also a need for DevOps tools, microservices, containers, automation, APIs, and testing tools.
Source: Annotated DevSecOps Cycle, Larry Maccherone
Let's discuss a five step process to successfully implement DevSecOps:
Step 1: Start with DevOps and Shift Left
Step 2: Embrace Microservices
Step 3: Use Containers as Part of the DevSecOps Lifecycle
Step 4: Build Software Code with Automation
Step 5: Integrate API Gateway
Alibaba Cloud offers an integrated package to achieve DevSecOps:
The solution architecture of the services from Alibaba Cloud is shown below.
The container solution architecture mentioned above acts as a microservice for the software development. A Kubernetes cluster provides excellent support for micro service operations, so you can focus on the development and iteration of application.
Splitting a massive app into a collection of microservices allows for agile development, testing, deployment, and O&M. Microservices are also easy to understand, develop, and maintain. Additionally, the free framework and technical options promote efficient communication within teams.
Additionally the Alibaba micro services have the following features:
As a final step, Alibaba Cloud offers the automation necessary to implement the DevSecOps.
Alibaba Cloud provides supports Packer and Terraform for core packaging and infrastructure provisioning. These tools allow users to swiftly deploy their infrastructure and application on Alibaba Cloud. Enterprise business's rapid iteration of applications and infrastructure along with continuous development ensure enhanced operations and minimize maintenance costs.
Furthermore, Alibaba Cloud provides a set of flexible services designed to help customers to rapidly and reliably build and deliver products using Alibaba Cloud and DevOps practices. With the support of Terraform and Packer, Alibaba Cloud customers can possess impactful workflows to manage their global infrastructure.
Subsequently, users can save time and focus on delivering business-critical needs. Packer users can easily build and configure customized images on Alibaba Cloud using the same workflow and configuration as used for managing images on other platforms. Similarly, Terraform users can provision compute, network, and storage resources on Alibaba Cloud utilizing similar workflow and configuration as they would, when managing infrastructure on other clouds.
Alibaba Cloud is the one stop solution for organizations to evolve towards the DevSecOps model.
Based on the architecture discussed above, I have helped a customer host an e-commerce site using this platform. The e-commerce portal is equipped with simple functionalities, focusing mainly on electronic items – mobile phones, laptops, tablets, home automation products, and cameras.
The store has the minimum features below:
Order Level Data
Technology Stack
Once you complete the 7 steps above, you'll need to maintain the operations of the lifecycle with Cloud Monitor.
There are many available ways for you to host your e-commerce portal. For my solution, I have chosen the web hosting solution by Alibaba Cloud. Alibaba Cloud Web Hosting is a flexible and easy-to-use product that allows you to build or transfer a website using FTP. It supports a wide variety of web builders and is ideal for all kinds of applications, from personal blogs to e-commerce websites. All you need to do is select your preferred package and log in to the Alibaba Cloud Management Console.
As the next step we need to obtain FTP credentials. On your console, navigate to the Web Hosting section under the Domains & Websites. Go to File management and select upload site. On the Upload Site page, you can get the credentials for the FTP or reset the password for the FTP login.
Once this is completed then we can now manage our web files using an FTP client. We will be using Filezilla as our FTP client. We need to open Filezilla and enter the Hostname, Username, and Password obtained from the Web Hosting management console to enable a quick connect.
Upload your codebase in the htdocs folder. Then, you'll need to bind a domain to the Alibaba Cloud Server. We have to visit the console and click on Add-on Domains on the left-hand panel. Then enter the domain name to bind it with the test domain name by clicking OK. Resolve the domain name to *.aliwebs.com using CNAME. Hit the domain name and you will be able to see the website homepage.
We later integrated the whole solution using kubernetes and automated deployment. The architecture is very flexible and allows integration with microservices. I have used a few open-source microservices such as Hystrix and Chaos monkey.
I've also added a basic cryptocurrency wallet and the APIs for cryptocurrency API integration using blockcypher.
We have demonstrated the ability to create an e-commerce application with crypto-wallet integration using DevSecOps principles on Alibaba Cloud. This platform also utilizes continuous deployment and automation using DevOps.
Because continuous integration and continuous deployment (CI/CD) are core features of DevOps, it is clear that automation is a significant contributor to the entire DevOps model. Automation aims to not only enhance the software development mechanism but also fill in the loopholes created by manual efforts in the software development model. Organizations can adopt automation to tackle frequent regression testing iterations and seek to pace up the delivery process.
Additionally, developers will find automation a blessing when working on microservices architecture. And finally with SecOps, security features such as OAuth are also integrated into the platform.
Resources:
https://github.com/Netflix/Hystrix
https://github.com/Netflix/chaosmonkey
https://www.blockcypher.com/dev/dash/#wallet-api
https://block.io/docs/basic
2,599 posts | 764 followers
FollowAlibaba Clouder - December 23, 2020
Alibaba Clouder - September 10, 2020
Alibaba Cloud Native Community - September 12, 2023
Alibaba Container Service - April 16, 2021
Alibaba Clouder - November 19, 2020
Alibaba Clouder - July 15, 2020
2,599 posts | 764 followers
FollowElastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn MoreLearn More
Secure your cloud resources with Resource Access Management to define fine-grained access permissions for users and groups
Learn MoreMore Posts by Alibaba Clouder
Raja_KT February 14, 2019 at 6:54 am
Good one. Secops layer is interesting. WAF is https....and Server guard is for host....?