Cimet DevSecOps : AWS Codepipeline Case Study

CIMET provides a full end-to-end digital comparison platform, using an automated system to reduce conversion times & Boost brand value and SquareOps Helped them achieve DevSecOps for the entire Infrastructure.
  1. About CIMET : CIMET provides a full end-to-end digital comparison platform, using an automated system to reduce conversion times & Boost brand value. It Help customers compare switch & save to provide better overall value
  2. Problem Statement : As the company struggled on implementing DevOps Best Practices & Especially Security on the infrastructure, data and application, we had to provide the correct security levels for their cloud workload. This included:
    1. Provide centralised security across the group of application servers
    2. Data encryption at rest and in transit
    3. Introduce cybersecurity process from the beginning of development cycle
    4. Secure way to inject Environment variables in the application and also any other sensitive information
    5. Compatibility with CIS Compliance Best PracticesIntroduce DevSecOps concepts for Continuous Security Posture of the application and cloud infrastructure
  3. Solution Implemented:
    1. Solution was Implemented using AWS services and application deployment was deployed over Ec2 instances with Auto-Scaling enabled. Ec2 service was preferred over other services owing to developers familiarity with existing AWS services and to keep the setup simple. Best practices in terms of AWS Well-Architected principles were used to provide coverage on all fronts especially focusing on Security measure.
    2. All communication between Different Services were secured and Data at rest was also encrypted using AWS KMS to follow the strict data governance standards.The KMS Key usage permission has been granted only to the required IAM Roles and Policies and Similarly the connectivity to Database was over secure protocol.
    3. Implementing DevSecOps was one of the critical components in achieving a continuous security posture within the pipelines. AWS CodePipeline was used, and the following tools were implemented:
      1. SonarQube
      2. Owasp Dependency Check
      3. Phpstan Test (SAST)
      4. Phpunit Test (Unit Testing)
      5. Owasp Zap Test (Penetration testing of Application)
    4. To store all the environmental variables used by the application, we have implemented Secrets Manager. The secrets are encrypted using AWS KMS keys and the key usage permission has been granted to the CodeBuild service roles and EC2 SSM roles. During the build stage, the secrets are fetched and deployed with the BuildArtifact to the target instances.
    5. Custom AMIs for the application have been created, with required softwares installed and maximum measures followed for CIS Compliance Compatibility. AWS Security Hub and AWS Inspector’s output reports are followed from time to time to maintain the Best Security Measures.

      Cimet DevSecOps AWS codepipeline

  4. Results:
    1. Maximum Security has been achieved keeping the AWS Well-architected Principles in place with the use of AWS Services like KMS, Security Hub, CloudTrail and many more.
    2. As only the IAM Users with restricted access could reach the resources, hence adding more security to the infrastructure.
    3. The newly identified security vulnerabilities get quickly managed and patched into the release cycle with the use of DevSecOps tools.
    4. With the use of Secrets Manager, the critical environment variables are no more part of the code. Also there is no more need to embed them in source code.
Share this article: