In this article, we will explore the concept of DevSecOps and discuss how we can apply its principles by building an e-commerce application on Alibaba Cloud. Gartner predicts that,
“By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.”
In recent years, we can see a shift in the maturity model of software development life cycle (SDLC) from Waterfall to Agile, and a massive culture shift to DevOps. Continuous integration, continuous deployment, and continuous delivery are now necessary for software development. One major aspect that many developers tend to ignore in DevOps is security. Integrating security at every stage of DevOps lifecycles is an essential element to DevSecOps.
What Is DevSecOps?
DevSecOps is a software development concept or mindset that aims at unifying development, operations, and security as a single process in SDLC. In simple terms, DevSecOps is very much like DevOps but with an added emphasis on security. In the process of implementing DevSecOps, there is also a need for DevOps tools, microservices, containers, automation, APIs, and testing tools.
Source: Annotated DevSecOps Cycle, Larry Maccherone
Let’s discuss a five step process to successfully implement DevSecOps:
Step 1: Start with DevOps and Shift Left
- In software development, the concept of shifting left moves tasks, such as testing, earlier in the cycle so that these tasks occur in parallel with development activities.
- The new application landscape is an opportunity to integrate security measures earlier in the development process to improve the security of the code that reaches production.
- Integration of SAST, DAST, Penetration Testing with Vulnerabilities is important.
Step 2: Embrace Microservices
- We need to build application faster so we need a microservices architecture.
- With microservices, large and complex systems are decoupled into simple, independent projects. This brings agility and alignment with the overall business and helps developer make changes to the code immediately for the customers.
Step 3: Use Containers as Part of the DevSecOps Lifecycle
- Software containers accelerate development by enabling applications to be broken down into microservices.
- Containers hold packaged pieces of software that contain all the components (the software, system libraries, and file system) needed to run the service. This can improve the quality of testing and reduce the complexity of integration and deployment.
Step 4: Build Software Code with Automation
- Automation aims to not only enhance the software development mechanism but also fill in the loopholes created by manual efforts in the software development model.
- Organizations can adopt automation to tackle frequent regression testing iterations and seek to pace up the delivery process.
- Developers will find automation a blessing when working on microservices architecture or when working on exceptionally large projects.
Step 5: Integrate API Gateway
- An API gateway establishes a single entry point for all requests coming from clients. This insulates the clients from being trouble by understanding how an application may be partitioned into microservices. This also enables clients to retrieve data from multiple services with only one request.
DevSecOps on Alibaba Cloud
Alibaba Cloud offers an integrated package to achieve DevSecOps:
- Alibaba Cloud Container Service provides support for Kubernetes clusters.
- Using the application deployment capability of Alibaba Cloud Resource Orchestration Service (ROS), users can create a highly available and secure Kubernetes cluster with one click by using ROS templates.
- The Kubernetes cluster consolidates Alibaba Cloud’s storage, network, virtualization, and security capabilities to provide a high-performance application management that simplifies cluster creation and expansion.
- Kubernetes deployed on Alibaba Cloud facilitates deployment, expansion, and management of containerized applications
- It further focuses on containerized management and application development, and comes with the following features:
- Elastic expansion and self-reparation.
- Service discovery and server load balancing.
- Service publication and rollback.
- Secrets and configuration management.
The solution architecture of the services from Alibaba Cloud is shown below.
The container solution architecture mentioned above acts as a microservice for the software development. A Kubernetes cluster provides excellent support for micro service operations, so you can focus on the development and iteration of application.
Splitting a massive app into a collection of microservices allows for agile development, testing, deployment, and O&M. Microservices are also easy to understand, develop, and maintain. Additionally, the free framework and technical options promote efficient communication within teams.
Additionally the Alibaba micro services have the following features:
- Lightweight deployment
- Simplified container management
- Low impact on other service
As a final step, Alibaba Cloud offers the automation necessary to implement the DevSecOps.
Alibaba Cloud provides supports Packer and Terraform for core packaging and infrastructure provisioning. These tools allow users to swiftly deploy their infrastructure and application on Alibaba Cloud. Enterprise business’s rapid iteration of applications and infrastructure along with continuous development ensure enhanced operations and minimize maintenance costs.
Furthermore, Alibaba Cloud provides a set of flexible services designed to help customers to rapidly and reliably build and deliver products using Alibaba Cloud and DevOps practices. With the support of Terraform and Packer, Alibaba Cloud customers can possess impactful workflows to manage their global infrastructure.
Subsequently, users can save time and focus on delivering business-critical needs. Packer users can easily build and configure customized images on Alibaba Cloud using the same workflow and configuration as used for managing images on other platforms. Similarly, Terraform users can provision compute, network, and storage resources on Alibaba Cloud utilizing similar workflow and configuration as they would, when managing infrastructure on other clouds.
Alibaba Cloud is the one stop solution for organizations to evolve towards the DevSecOps model.
Building an E-Commerce Portal Using DevSecOps
Based on the architecture discussed above, I have helped a customer host an e-commerce site using this platform. The e-commerce portal is equipped with simple functionalities, focusing mainly on electronic items — mobile phones, laptops, tablets, home automation products, and cameras.
The store has the minimum features below:
Order Level Data
- FSN ID: The unique identification of each SKU
- Order Date: Date on which the order was placed
- Order ID: The unique identification number of each order
- Order item ID: Suppose you order 2 different products under the same order, it generates 2 different order Item IDs under the same order ID; orders are tracked by the Order Item ID.
- GMV: Gross Merchandise Value or Revenue
- Units: Number of units of the specific product sold
- Order payment type: How the order was paid — prepaid or cash on delivery
- SLA: Number of days it typically takes to deliver the product
- Cust id: Unique identification of a customer
- Product MRP: Maximum retail price of the product
- Product procurement SLA: Time typically taken to procure the product
- A Linux or Windows machine
- JDK 8 or later
- Apache Maven 3 or later
- Eclipse or other code editor of your choice
- Spring MVC 4.2.5
- Hibernate 5.x
- Database: Oracle, Mysql,SQL Server, RDS
Solution Architecture of the E-Commerce Platform
How to Implement the Solution with DevSecOps
- Build the store modules using Java and JDK. This includes Order Management, Shop Management , Customer management,Payment module, Customer service
- Shift left in the continuous delivery. This is done by integrating security solutions to the modules, including adding WAF, anti-fraud, Server Guard, security testing, and CloudMonitor.
- Enable the microservices architecture in the above 2 steps. This makes the portal scalable and brings agility and alignment to the business. With this solution, you can make changes to the code immediately for customers.
- Integrate elastic computing in the cloud deployment using Server Load Balancer, Auto Scaling and Elastic Compute Service (ECS). We used containers as a part of DevOps lifecycle. Containers hold packaged pieces of software that contain all the components (the software, system libraries, and file system) needed to run the service. We used Auto Scaling to adjust to the demand of the customer spike during peak shopping season.
- Also as a part of Development lifecycle, you can use Message Service to help with automation. Message Service is useful for typical large-scale, high-reliability, high-concurrency software code automation.
- Integrate object storage and also the backend with APIs. You’ll also need databases to process massive volumes of images and transcoding capabilities for image processing, and handling audio and video content.
- Merge CDN with the lifecycles to accelerate content delivery for end users.
Once you complete the 7 steps above, you’ll need to maintain the operations of the lifecycle with Cloud Monitor.
Hosting the E-Commerce Portal
There are many available ways for you to host your e-commerce portal. For my solution, I have chosen the web hosting solution by Alibaba Cloud. Alibaba Cloud Web Hosting is a flexible and easy-to-use product that allows you to build or transfer a website using FTP. It supports a wide variety of web builders and is ideal for all kinds of applications, from personal blogs to e-commerce websites. All you need to do is select your preferred package and log in to the Alibaba Cloud Management Console.
As the next step we need to obtain FTP credentials. On your console, navigate to the Web Hosting section under the Domains & Websites. Go to File management and select upload site. On the Upload Site page, you can get the credentials for the FTP or reset the password for the FTP login.
Once this is completed then we can now manage our web files using an FTP client. We will be using Filezilla as our FTP client. We need to open Filezilla and enter the Hostname, Username, and Password obtained from the Web Hosting management console to enable a quick connect.
Upload your codebase in the htdocs folder. Then, you’ll need to bind a domain to the Alibaba Cloud Server. We have to visit the console and click on Add-on Domains on the left-hand panel. Then enter the domain name to bind it with the test domain name by clicking OK. Resolve the domain name to *.aliwebs.com using CNAME. Hit the domain name and you will be able to see the website homepage.
We later integrated the whole solution using kubernetes and automated deployment. The architecture is very flexible and allows integration with microservices. I have used a few open-source microservices such as Hystrix and Chaos monkey.
I’ve also added a basic cryptocurrency wallet and the APIs for cryptocurrency API integration using blockcypher.
We have demonstrated the ability to create an e-commerce application with crypto-wallet integration using DevSecOps principles on Alibaba Cloud. This platform also utilizes continuous deployment and automation using DevOps.
Because continuous integration and continuous deployment (CI/CD) are core features of DevOps, it is clear that automation is a significant contributor to the entire DevOps model. Automation aims to not only enhance the software development mechanism but also fill in the loopholes created by manual efforts in the software development model. Organizations can adopt automation to tackle frequent regression testing iterations and seek to pace up the delivery process.
Additionally, developers will find automation a blessing when working on microservices architecture. And finally with SecOps, security features such as OAuth are also integrated into the platform.