NIST SP 800-204C (DRAFT) DEVSECOPS FOR A MICROSERVICES-BASED
APPLICATION WITH SERVICE MESH
20
the CI/CD pipeline not only results in agile deployment and maintenance but also in a robust 917
application platform that is secure and meets performance needs. 918
919
The conventional approach to allocating infrastructure for applications consists of initially 920
provisioning compute and networking resources with configuration parameters and ongoing tasks 921
such as patch management (e.g., OS and libraries), establishing conformity to compliance 922
regulations (e.g., data privacy), and making drift correction (where the current configuration no 923
longer provides the intended operational state). 924
925
Infrastructure as code (IaC) is a declarative style of code that encodes computer instructions that 926
encapsulate the parameters necessary to deploy virtual infrastructure on a public cloud service or 927
private data center via a service’s management APIs [33]. Depending on the particular IaC tool, 928
this language can either be a scripting language (e.g., Go, JavaScript, Python, TypeScript, etc.) or 929
a proprietary configuration language (e.g., HCL) that may or may not be compatible with 930
standardized languages (e.g., JSON). The basic unit of these instructions is called “configuration” 931
and tells the system how to provision and manage infrastructure (whether that is an individual 932
compute instance or a complete server, such as physical servers or virtual machines), containers, 933
storage, network connections, connection topology, and load balancers. [34]. In some cases, the 934
infrastructure may be short-lived or ephemeral, and the lifespan of the infrastructure (whether 935
immutable or mutable) does not warrant continued configuration management. Provisioning 936
could be tied to individual commits of application code using tools that can connect application 937
code and infrastructure code in way that is logical, expressive, and familiar to development and 938
operations teams, where application code increasingly defines the infrastructure resource 939
requirements for a cloud application [35]. 940
941
4.3.1 Comparison of Configuration and Infrastructure 942
943
Infrastructure is often confused with configuration [34], which maintains computer systems, 944
software, dependencies, and settings in a desired, consistent state. For example, putting a newly 945
purchased server onto a rack and connecting it to the switches so that it is connected to the existing 946
networks (or launching a new virtual machine and assigning network interfaces to it) belongs to 947
the definition of “infrastructure.” In contrast, after the server is launched, installing an HTTP 948
server and configuring it belongs to configuration management. In physical data centers, specific 949
teams purchase servers, install servers, and connect networking cables with the underlying 950
infrastructure in mind. 951
952
4.4 CI/CD Pipeline for Policy as Code 953
Policy as code involves codifying all policies and running them as part of the CI/CD pipeline so 954
that they become an integral part of the application runtime. Examples of policy categories 955
include authorization policies, networking policies, and implementation artifact policies (e.g., 956
container policies). Policy management capabilities in a typical “policy as code software” may 957
come with a set of predefined policy categories and policies and also support the definition of 958
new policy categories and associated policies by providing policy templates [36]. 959
Some examples of policy categories and associated policies are given in 960