How GitOps Can Help You Build Better and More Secure Web Applications


What Is GitOps?

GitOps is an operational framework that takes DevOps principles used for application development, such as version control, iterative development, and automation, and applies them to infrastructure automation.

In the traditional continuous integration / continuous delivery (CI/CD) work process, the software development lifecycle is automated, but infrastructure management is still a manual process that requires a dedicated team. Implementing infrastructure automation is becoming increasingly important in modern cloud environments and is a prerequisite for continuous deployment.

Modern applications are developed at high velocity. Organizations with a mature DevOps culture can deploy code to production multiple times per day. DevOps teams can do this by leveraging version control, code reviews, and CI/CD pipelines to automate testing and deployment.

GitOps automates infrastructure deployment—similar to the way teams work with application source code, operations teams that have adopted GitOps use configuration files stored as code. GitOps configurations create the same infrastructure environment each time you deploy, just as the same application binaries are created each time you build your application source code.

What Is Application Security?

Application security is a method of protecting software applications from threats using secure development processes and dedicated security tools. Applications are often deployed on third-party web servers, with legacy components, servers, operating systems, and proprietary code. They can include multiple configurations, pages, folders, parameters, and authentication schemes—any of these can introduce a security vulnerability.

Securing applications requires integration of security techniques from the coding stage, through testing and deployment, all the way to production monitoring and response to security incidents.

How Does GitOps Work?

GitOps allows Infrastructure as Code (IaC) to be hosted and version controlled in Git repositories, and facilitates easier collaboration. Developers follow the same pull request process for infrastructure changes, pushing changes to IaC templates to the master branch. This applies to any infrastructure change, from Kubernetes cluster configuration to changes in the underlying cloud infrastructure.

Anyone on the team, including junior engineers, can submit pull requests, make code changes, and collaborate with other team members on pull requests. A CI pipeline helps manage these changes, validating and testing configuration files in the same way as teams test changes to application code. Other developers, security experts, and operations engineers can review and approve pull requests before they are approved by a senior team member.

This process ensures that configuration changes are thoroughly reviewed before they are applied to your environment. When changes are approved, they are merged into the master branch and deployed to your environment via a CD pipeline.

This automated process creates more visible, high-quality configuration code. Instead of having engineers create configurations on their laptops without anyone else seeing or verifying it, configuration becomes a shared artifact that is managed and validated by the entire team.

3 Ways GitOps Improves Application Security

The unique ability of GitOps tools to handle everything as code impacts security in several ways:

1. Everything Is in Source Control—Including Security Controls

When all configuration and security policies are handled in code, everything can be kept in version control. All changes are made in a highly visible manner, reviewed by relevant roles, and entered into an automated pipeline. The pipeline then validates, deploys, and monitors the changes.

In this way, GitOps provides a single source of information for security controls in a CI/CD pipeline. Any deviations in system configuration can be detected early in the development process, and even if they are detected later, they can be immediately reverted. GitOps moves security further to the left and can effectively catch misconfigurations, bugs, and security issues earlier in the process. This means GitOps is not only a tool for managing infrastructure, but also an opportunity to shift security to the left of the pipeline.

2. Faster Response to Security Issues

Finally, GitOps also speeds up pipeline changes. If the worst happens and your CI/CD pipeline is compromised, GitOps enables a quick response to fix the security issue. For example, you discover that a vulnerability in your pipeline was exploited, you can quickly identify when the vulnerable component was introduced, roll back to a secure version, or roll forward to a version of the pipeline that has patched the vulnerability.

Storing infrastructure as code allows businesses to quickly identify affected lines of code in the repository. This means businesses can quickly assess the scale of an attack and recover faster. It also reduces and minimizes the risk of breaches in the first place, because of the high degree of visibility over changes to the pipeline.

3. Improved Auditability

Beyond the ability to discover and respond faster, GitOps also improves auditability. When an organization is subject to compliance requirements and undergoes external audits, it needs to be able to prove it took security measures, and if security issues were discovered, it needs evidence that they were taken care of quickly. GitOps provides exactly that, with a complete audit trail of all security actions taken throughout the life of a software project.

Conclusion

In this article I explained the basics of GitOps, a new and innovative software development method. I showed three ways GitOps can dramatically improve application security:

  1. Security controls are saved in source control—ensuring that the appropriate controls are always applied to all software artifacts, with high visibility of violations.

  2. Faster response to security issues—when a vulnerability or misconfiguration is discovered, GitOps makes it possible to instantly roll back to a previous safe version, or roll forward to deploy a fix.

  3. Improved auditability—GitOps provides a complete audit trail of all infrastructure changes, preventing ad hoc changes that can lead to security flaws.

I hope this will be useful as you explore the use of GitOps and boost the security of your valuable applications.