If you’re considering adding databases to your DevOps process, security needs to be top of mind. Since the goal of implementing database DevOps is to speed up development and deployment, the last thing you want is a security bottleneck placed at the end of the cycle effectively unraveling all of the progress you’ve made to speed things up. Security needs to be integrated into the full DevOps cycle, which is why DevSecOps is such a popular solution.
In DevSecOps, security is a shared responsibility. The entire team needs to consider security at each stage of your pipeline. Automation tools, like Liquibase, can help remove the element of human error at multiple places throughout your process.
Liquibase for DevSecOps
Liquibase makes database change automation easy so that database changes don’t become a bottleneck. Here are some examples of what Liquibase does to promote good DevSecOps practices:
- Works well with secure password automation tools
- Provides high visibility into your changes with Liquibase Hub
- Enables easy traceability of changes through versioned artifacts
- Enables granular change management with changelogs and changesets
- Uses metadata to control deployment behavior from automation tools with labels, contexts, and preconditions
- Compares different database states and easily allows for automated alerts if an unexpected state is found
- Provides instant validation of database code based on rules set by your DBA and security teams that is available to developers on demand or can be implemented as a build step in automation
Automation for controlling database access
No one should be able to individually log into the database with elevated privileges. Automated tools that can retrieve credentials from secrets management repositories or “vaults” should always be used so that it logs the triggering of the event, the event itself, the contents of the change, and you have a solid traceability history.
If someone does need direct, individual access to a database with elevated privileges, they can get it. But this should be treated as an exception with proper notifications and alerts in place. It should not be done individually or invisibly.
Liquibase works with secure password automation tools like CyberArk, HashCorp Vault, and Oracle Wallet. Many CI/CD tools such as Jenkins, UCD, Azure DevOps, and others allow for securely storing credentials and retrieving them at runtime.Learn More
Eliminate manual reviews & manual work
In order to reduce database errors that may cause security vulnerabilities, it’s important to eliminate manual reviews and manual rework of database changes. According to an analysis by CybSafe of data from the UK Information Commissioner’s Office (ICO), human error was the cause of approximately 90% of data breaches in 2019.
Automation can help ensure that only good, secure SQL changes get put into your database. Shifting these automated checks left is not only good for ensuring consistency and quality, but it’s also great for reducing rework and improving the overall flow through your pipeline.
Liquibase offers quality checks for on-demand database code validation. Rules are put in place by DBAs and security teams to ensure database code is safe and compliant before it ever gets to production. Your team can process different types of rules and choose how you’d like the system to automatically handle them.Learn More
"Liquibase helps us standardize our overall release process, reduces human errors, and improves code quality. That means we are able to deliver innovation to our customers faster with reduced operational cost and risk."
Protect against malware with drift detection
There are some database-related attacks that create objects in databases (the most worrisome malicious objects are stored logic types). You can’t see them unless you’re specifically looking for them. Liquibase can inspect databases and compare them against an expected state. Drift detection is incredibly helpful from a security standpoint. If you have the database configuration locked to a specific secure channel, there should never be a variance between the database as it sits and its expected state. If there is variance, then there has been, by definition, a security violation. Detecting this quickly and reliably is important. Liquibase can detect drift by using snapshots and diff functionality when set up in automation.
Snapshots & Diff functionality example
You can automate your system to take a snapshot of the database after every deployment. The snapshot gets stored in version control. On a regular interval, you compare the database to the snapshot. Since snapshots only come from deployments and deployments always generate a current snapshot, they should always match. If they do not, your team can promptly investigate.See How i360 Uses Liquibase
Visibility & reporting
Track and report the status of every database deployment across the enterprise, making audits a breeze.
- Eliminate manual tracking of database deployments and errors
- Easy, on-demand access to deployment information
- Centralized database reporting for the entire organization