Estupendo, DevOps Case
Initially, Estupendo had its infrastructure in a Colocation environment, from where they decided to migrate to the AWS Cloud to re-architect their application and take advantage of the benefits of the Cloud; The team’s main interest was to be able to better integrate Serverless technology into its architecture, in addition to accelerating the development cycle and simplifying the process of deploying its applications in the different available environments (testing and production). This poses challenges of both technological and process change, for which they sought the support of Clouxter, to be able to design and implement the associated technology, but also to adopt the practices that would allow them to achieve their objectives. They were interested in integrating serverless technologies into their architecture to scale and avoid administration. In search of being more agile in their software development process, they require support to achieve it. In a second stage, Estupendo required compliance with the ISO 2700 framework, related to information security, with which the challenge increased in terms of objectives and complexity.
The Estupendo case is an example where business growth requires being able to move quickly with changes and accelerate the development and security testing process. DevOps and DevSecOps practices are an excellent approach to achieving the objectives set by Estupendo. With this scenario, we design and implement CICD pipelines to automate compilation and deployment; Then, to meet some of its clients’ requirements, aimed at permanent vulnerability analysis, we implemented another pipeline that was focused on security testing with third-party tools such as SonarQube and OWASP Zap.
The cloud architecture proposed for Estupendo responded to business needs by making use of serverless components that took customer billing processes from 5 minutes to less than 5 seconds, not to mention that these processes were no longer executed through batch processing. , but were activated immediately through functions for each invoice sent, guaranteeing scalability thanks to managed services: Lambda and API Gateway.
On the other hand, architectural aspects such as high availability and fault tolerance were guaranteed by using automatic scaling services, load balancing, and the deployment of components in different AWS availability zones for EC2 instances.
From a process point of view, the solution managed to simplify how the code deployment processes were carried out, making use of the tools for DevOps adoption such as CodeCommit, CodeDeploy, and CodePipeline, provided by AWS; Continuous integration and deployment practices were adopted by Estupendo, giving the development areas autonomy, speed and application of cutting-edge methodologies for their internal processes.
The pipeline includes the following stages:
- Source Stage: Code is versioned and stored in Code Commit using branches. At this stage, we extracted the code for analysis.
- SAST stage: After extracting the code, we proceed to run 2 security tests with different tools.
- OWASP Dependency Checking: This tool attempts to detect publicly disclosed vulnerabilities contained in a project’s dependencies.
- SonarQube: This tool performs automatic reviews with static code analysis to detect errors, code smells, security vulnerabilities, and security hotspots.
- Approval Stage: In this stage, approval is required before running the next stage containing the DEHT dynamic analysis security testing tool.
- DAST Stage: Finally, in the last stage, we run some penetration testing analysis using OWASP ZAP to automatically find security vulnerabilities in web applications.
All reports generated by the 3 analysis tools were centralized through a lambda function invoked within the pipeline, which sends the reports to Security Hub.
To achieve these objectives, we proposed a solution where they implemented the following services:
Third-party applications or solutions used:
- OWASP Dependency Checking: This tool was included in the pipelines to run software composition analysis.
- SonarQube: This tool was integrated into pipelines to automate security testing of static applications.
- Zap OWASP: This tool was integrated into pipelines to automate dynamic application security testing.
AWS services used as part of the solution:
- AWS CodePipeline: CI/CD pipelines were created to incorporate automation of the software release cycle using AWS services such as Code Commit, Code Build, and Code Deploy.
- CloudWatch: Each pipeline has a log pool and a log stream in CloudWatch to store the execution logs.
- Cloud Formation: Pipelines and all resources were deployed using cloud formation templates.
- S3: Artifacts generated by pipelines are stored in s3.
- SNS: SNS is invoked at the pipeline approval stage to notify the person in charge of approval via email.
- Lambda: Designed a function to send all analysis reports to the security center
- Security Center: Functions as a centralized hub to view all security results from all test tools invoked by the pipeline.
- Parameter Store: Configuration parameters used by the pipeline are stored here, such as the ZAP API key or the ZAP and SOnarQube URLs.
Static Analysis Diagram
For Estupendo, the impact of implementing this DevOps-oriented solution could be summarized in the following points:
- Improved agility: With DevOps pipelines, the customer reduced the operational burden of manually deploying new versions of code; As a result, the delivery frequency increases from once a month to once a day in the development environment and weekly to the production environment.
- Pipelines DevSecOps: With automatic execution of STA, SAST, and DAST tests, Estupendo now has visibility into the quality of its code, generating reports for each build cycle and notifying stakeholders. Additionally, a code quality threshold is defined to ensure quality and detect possible safety risks in time.
- Serverless: With the integration of lambda functions, Estupendo can now focus more on writing code and not managing infrastructure. Developers now have much more time to innovate and optimize their application functionality and business logic. Since this implementation, support tickets have been reduced from 15 per month to just 3.
Estupendo offers services to different companies for the issuance and receipt of electronic invoices through an agile, secure, and reliable platform. They resolve the external complexities of the business, through their electronic billing service, so that their clients focus on resolving the complexities of their core, they are committed to complying with legal and client requirements related to integrity, availability, and confidentiality of their clients’ information and the corresponding billing.
At Clouxter we enable the adoption path and consolidate the cloud in organizations. Our focus is on DevOps, Migration, Security, and Analytics, providing the key pieces to have a great Cloud strategy. We have extensive experience in different industries such as Banking, Media, Fintech, Public Sector, ISVs, and Startups.
We accompany organizations on this path and accelerate their adoption curve, covering the Definition, Planning, Implementation, and Operations of their solutions, through our Professional Consulting Services, Managed Services, and Local Billing.