Ensuring component dependencies and facilitating documentation by applying Open Policy Agent in a DevSecOps cloud environment

Thumbnail Image

Files

master_Tan_Junsheng_2022.pdf (2.11 MB)

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2022-10-17

Department

Major/Subject

Security and Cloud Computing

Mcode

SCI3113

Degree programme

Master’s Programme in Security and Cloud Computing (SECCLO)

Language

en

Pages

55

Series

Abstract

In a DevOps environment, developers benefit from fast iteration of development lifecycle. DevSecOps expand DevOps, which integrates security compliance in the lifecycle. DevSecOps guarantees that, during each development iteration, the security constraints are met, which assures no vulnerabilities are introduced to the system. Open Policy Agent (OPA), is an open-source policy engine. It can declaratively enforce policies and apply them in a distributed environment. OPA can be utilized in DevSecOps to enforce policies on configuration files to improve security compliance and best-practices. However, it is not trivial to integrate OPA into an existing workflow. This thesis introduces a software engineering model which is called Policy Champion Model. It proposes a solution to support DevSecOps and illustrates how to properly manage policies and integrate OPA in a workflow. Besides, this thesis develops a tool called Wand to tackle the problem of tedious manual effort to modify configuration files after policy enforcement, so that the process of fixing or supplementing configuration files can be automated. Moreover, the defined policies can be deemed as grey documentation. They supplement traditional documentation for a newly joined developer and facilitate understanding the policies, security compliance, best-practices and other technical knowledge. This thesis demonstrates two typical scenarios to apply DevSecOps in a cloud environment: scenario of observability and security. The evaluation displays the usage of Wand, its practicality and shows that Policy Champion Model with Wand is suitable for agile team to apply DevSecOps. Additionally, policies are grey documentation which are responsive and interactive.

Description

Supervisor

Fagerholm, Fabian

Thesis advisor

Fagerholm, Fabian

Keywords

policy champion model, wand, OPA, DevSecOps, DevOps

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202210236150

Collections

[dipl] Perustieteiden korkeakoulu / SCI