DevSecOps
Vision
The DevSecOps practice’s goal is to automate key functions for our development and testing teams to allow them to work easier, smarter and faster by utilising standard Enterprise Application Pipelines (EAPs). This allows:
- Increased automation - no manual or semi-manual build and deployments
- Increased modularity - minimal custom/single app specific – heavy re-use of templates
- Improved tooling - using the latest tools, products and platforms in a consistent and efficient manner
- Increased quality and security - ensure quality and security of code and development standards is automated and built in
Key concepts of this practice
- Source Control
- Prepare
- Build
- Verify
- Package
- Publish
- Deploy
Developers commit to Repo
- Azure Repos
- Everything as code
- Apps
- Config
- Even pipeline definitions
- Trunk based development
- Repeatable builds
- Pull Requests (Code Review)
- Branch Protection
- Continuous Integration of features
Pull down source code
- Apps must declare dependecies
- Obtain dependencies
- XRay scans for vulnerabilities in libraries
- Check for known vulnerable dependencies
- Compile code
- Compile unit tests
- Lock dependency graph
- Reproducible builds
- Unit testing
- Unit test coverage
- Code quality analysis (Sonar)
- Security vulnerability code scan (Checkmarx)
- Quality & Security Gates
- Shift Left
- Supply chainvulnerability scans (Xray & Checkmarx)
- Environment agnostic
- Standard Application Packaging
- NuGet
- NPM
- Docker
- Zip
- JFrog Artifactory to store all AEMO artifacts
- Single versioned artifact
- appA-2.3.432
- Immutable artifact for each build
- Same artifact deployed to all environments
- XRay running in background
- Artifact stored in repository (JFrogArtifactory)
- Build, Verify and Release phases
- Manual approvals for deployments
- Environment specific configuration
- Secrets management (Azure Key Vault)
Key standards
Welcome to the Development, Security and Operation practices with the aim of integrating security in to every stage of the software development lifecycle.
- Enterprise Standards - Adoption of the Enterprise, Application Pipelines using:
- Enterprise Application Patterns, that are architecturally endorsed
- Enterprise Application Pipelines which utilise the Enterprise Application Pipeline application patterns
- Security First - Making everyone accountable for security with the objective of implementing security decisions and actions at the same scale and speed as development and oprations decisions and actions across AEMO's digital platforms
- Automation - Provide a CI/CD platform to deliver maximum value to projects and the organisation through best practice CI/CD
- Collaboration Culture & Community - Grow an organisational DevSecOps culture and the same scale security with a focus on cross platform sharing of Enterprise Application Pipelines and Patterns
DevSecOps process
Supported pipeline pattern
Key technologies supported
Azure DevOps
Checkmarx
JFrog Xray
JFrog Artifactory