Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Microcosm: Your Gateway to a Secure DevOps Pipeline as Code

DZone's Guide to

Microcosm: Your Gateway to a Secure DevOps Pipeline as Code

Get access to the All Day DevOps talk about Microcosm and breaking down communication silos for more performant DevOps pipelines.

· DevOps Zone ·
Free Resource

Learn how integrating security into DevOps to deliver "DevSecOps" requires changing mindsets, processes and technology.

Development pipeline: "an automated manifestation of your process for getting software from version control into the hands of your users."

Seems easy, right? Okay, not really. There are key questions to ask first. Who owns the integrated pipeline? What and how do you measure and monitor in order to assess pipeline health? What are the key qualities and attributes teams should look for? Oh, and there are 180 some odd tools available to fit in your DevOps pipeline.

To build your pipeline, you will need to assemble and integrate many moving parts. Of course, you'll also want it to work with the first real deployment. After all, you've spent a lot of capital convincing your organization this was a worthwhile investment, but they are still nervous and skeptical.

If only there was a way to see and understand a pipeline without the large, initial investment of resources and even more precious time.

Enter Microcosm

A good friend of mine in the DevOps industry, Hasan Yasar (@securelifecycle), brought this topic to life at a recent conference. Hasan, who works at the Software Engineering Institute (SEI) at Carnegie Mellon, discussed Microcosms during his talk, Secure DevOps Pipeline as Code, D-PaC. Hasan explained that Microcosm was developed at SEI as a miniature, secure DevOps pipeline that is available through infrastructure as code. It is a miniature version of what you would find in a large organization and is designed to help introduce people to development pipelines.

Stepping back a bit, Hasan reminds us that DevOps is about, "breaking down the communication silos to establish effortless efficiency/collaboration between teams because we're all on the same team, striving for the same goal!" A deployment pipeline helps achieve this goal by integrating security into the deployment process.

To start assessing your development pipeline, Hasan laid out a number of key quality attributes in order to select the right tools.

Image title

These attributes will help you seamlessly inject security at multiple points into a development pipeline, illustrated below.

But, what about Microcosm? Well, it consists of four virtual machines and creates a secure DevOps pipeline via IaC using Vagrant, Chef, and Ansible. Each of these services is integral, but, working together, they are invaluable and create a Continuous Integration and Continuous Deployment platform with Secure DevOps best practices.

The first virtual machine offers:

  • Jenkins CI/CD service
  • OWASP ZAP web application security scanner
  • Selenium web application software-testing framework

The second virtual machine offers:

The third virtual machine offers:

  • Media/Wiki service
  • Bugzilla issue tracker
  • Hubot chat bot

The fourth virtual machine:

All services and the project and open source and you can clone the repository at https://github.com/SLS-ALL/devops-microcosm.

What Is Next?

They plan to offer a microservice version and one with Docker containers/Docker Compose, and continue to update Chef recipes of services used to secure vulnerabilities.

You can watch Hasan's entire 30-minute talk for free here.

Craving more on knowledge on DevOps? Binge watch any of the 100 DevOps sessions, free of charge, from All Day DevOps here.

Learn how enterprises are using tools to automate security in their DevOps toolchain with these DevSecOps Reference Architectures.

Topics:
devops ,devsecops ,pipelines ,pipeline as code ,all day devops

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}