In the waterfall style of application development, manual security controls are often implemented late in the application delivery life cycle. But these can be impediments to rapid application delivery and compromise security effectiveness. Modern rapid application development using DevOps strategies is evolving to address this issue. The latest innovation, DevSecOps, is becoming a popular way to rapidly bring greater security to cloud applications.
In the DevSecOps model, DevOps integrates security practices earlier and more deeply throughout the application delivery life cycle. Security can no longer be effectively bolted on after code completion. It is built in from the start of the development phase. Security was previously an afterthought for developers while the bulk of the responsibility rested on the Security or Operations teams. DevSecOps brings that responsibility back into balance. Now, as developers also become the operators, they are accountable for application security too.
For developers, the DevSecOps methodology has important implications. DevSecOps demands that developers become more proficient in security practices and spend more time performing security tasks. Dealing with ever-increasing and more complex vulnerabilities can be challenging. And that’s on top of the constant drumbeat to patch the underlying operating system. These manual, mundane, and error-prone — though necessary — tasks slow down the development process. This only adds to the pressure on developers to deliver applications at a much faster pace in today’s highly competitive landscape.
This is where automation is key to helping DevSecOps teams deploy and maintain highly secure and highly reliable applications, reduce human error and complexity, and deliver software faster. Automation gives developers more time to focus on the more interesting software engineering tasks at hand.
Ultimately, if cloud operations can run fully autonomously, that would eliminate human error and free up developers from operations tasks entirely. To do this, Oracle has been developing its autonomous cloud services starting with Oracle Autonomous Database and Autonomous Linux. In the future, additional cloud services will become autonomous. The idea behind a self-driving, self-repairing cloud is to provide built-in autonomous capabilities for the entire development and deployment life cycle, thus dramatically reducing DevSecOps effort. Examples of the types of autonomous functions envisioned include:
- Auto-Provisioning: Deploy infrastructure such as an operating system or database as needed.
- Auto-Scaling: Automatically scale compute and storage resources completely independently of one another. Scaling occurs online while the application continuously runs.
- Auto-Tuning: Automatically tunes an operating system or a database using Machine Learning algorithms.
Many autonomous capabilities are available today and more are coming online all the time.
Oracle’s autonomous capabilities also provide a more secure and reliable development and runtime environment. An example is autonomous configuration of an operating environment. Many users need an operating environment that is compliant with a specific protection profile for HIPAA, or need to run in FIPS-mode, or must comply with a US government STIG. Oracle’s Autonomous Linux can compare running environments against a gold standard configuration, detect drift, and alter the configuration of the environment online to maintain compliance.
Another example is automated patch management, to keep the operating environment up to date and secure. Using Oracle’s Ksplice technology, the Linux kernel and critical user-space libraries (glibc and OpenSSL) are patched while systems are running. Core libraries, Oracle Cloud and Linux utilities, pre-installed dependency packages for Oracle Database, and Oracle Applications are other key components that are automatically patched daily whenever updates are available. Patches are fully tested to validate compatibility.
Unique to Oracle Autonomous Linux is its built-in zero-downtime self-patching capabilities, that eliminate the need to reboot the system after an update of the kernel and userspace libraries. Linux kernel updates with important new security and reliability patches are released about once per month. Updates for the KVM hypervisor also are released regularly. Industry regulations and best practices require companies to apply these security updates and patches as soon as possible, because security will be compromised by a failure to update. Operators are forced to choose between known best practices versus forced system reboots that are costly and disruptive.
Postponing the installation of updates until a convenient time is a tempting practice, but is also dangerous. Systems that are not up to date are vulnerable to well-known security problems. With an autonomous operating system, critical security patches are automatically applied day one as soon as they are available, dramatically reducing the window of opportunity for a cyberattack. With hands-off patch management, there is no need to schedule or incur operational costs for downtime. As a result, your security compliance is vastly improved even as costs go down.
Leveraging Ksplice Technology
Autonomous Linux takes advantage of Ksplice’s zero-downtime patching technology. So how does Ksplice technology work?
Using Ksplice does not require any preparation before the system is originally booted, such as any special prior compiling of the running kernel. To generate an update, Ksplice analyzes what code within the kernel at the Executable and Linkable Format (ELF) object layer had been changed by the source code patch.
To apply a patch, Ksplice starts by freezing the execution of a computer so it is the only program running. The system is checked to ensure that no processors were in the middle of executing functions that will be modified by the patch. Ksplice updates the beginning of changed functions to point to new versions of those functions, and modifies data and structures in memory that need to be changed. Ksplice then resumes each processor running where it left off. All of this is done in a fraction of a second, meaning no downtime at the application level.
Ksplice’s Known Exploit Detection is another security feature available with Oracle Autonomous Linux. Developers are alerted when certain privilege escalation attempts have been detected and thwarted by a Ksplice patch. Diagnostics are collected to check that patches and updates are deployed successfully.
Future Oracle Autonomous Linux features will further advance its autonomous capabilities, including enhanced automated provisioning, scaling, tuning, and analytics.
Because Autonomous Linux is based on Oracle Linux, partner solutions certified on Oracle Linux will also run on Autonomous Linux on Oracle Cloud Infrastructure.
As for compatibility with Red Hat Enterprise Linux, Oracle Autonomous Linux and Oracle Linux are fully application binary compatible. Applications running on Red Hat Enterprise Linux also run on Oracle Autonomous Linux with no code modifications required.
If your organization is moving towards DevSecOps practices and looking for higher security and reliability of your cloud application platform while freeing yourself from mundane administrative tasks, Autonomous Linux on Oracle Cloud may be worth considering.
To learn how to get started, watch the Oracle Autonomous Linux tutorial.
Feature image from Pixabay.