Ensuring component dependencies and facilitating documentation by applying Open Policy Agent in a DevSecOps cloud environment
Perustieteiden korkeakoulu | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.
Security and Cloud Computing
Master’s Programme in Security and Cloud Computing (SECCLO)
AbstractIn a DevOps environment, developers benefit from fast iteration of development lifecycle. DevSecOps expand DevOps, which integrates security compliance in the lifecycle. DevSecOps guarantees that, during each development iteration, the security constraints are met, which assures no vulnerabilities are introduced to the system. Open Policy Agent (OPA), is an open-source policy engine. It can declaratively enforce policies and apply them in a distributed environment. OPA can be utilized in DevSecOps to enforce policies on configuration files to improve security compliance and best-practices. However, it is not trivial to integrate OPA into an existing workflow. This thesis introduces a software engineering model which is called Policy Champion Model. It proposes a solution to support DevSecOps and illustrates how to properly manage policies and integrate OPA in a workflow. Besides, this thesis develops a tool called Wand to tackle the problem of tedious manual effort to modify configuration files after policy enforcement, so that the process of fixing or supplementing configuration files can be automated. Moreover, the defined policies can be deemed as grey documentation. They supplement traditional documentation for a newly joined developer and facilitate understanding the policies, security compliance, best-practices and other technical knowledge. This thesis demonstrates two typical scenarios to apply DevSecOps in a cloud environment: scenario of observability and security. The evaluation displays the usage of Wand, its practicality and shows that Policy Champion Model with Wand is suitable for agile team to apply DevSecOps. Additionally, policies are grey documentation which are responsive and interactive.
Thesis advisorFagerholm, Fabian
policy champion model, wand, OPA, DevSecOps, DevOps