DevSecOps | Liquibase Solutions for Database DevOps

If you’re considering adding databases to your DevOps process, security needs to be top of mind. Since the goal of implementing database DevOps is to speed up development and deployment, the last thing you want is a security bottleneck placed at the end of the cycle effectively unraveling all of the progress you’ve made to speed things up. Security needs to be integrated into the full DevOps cycle, which is why DevSecOps is such a popular solution.

In DevSecOps, security is a shared responsibility. The entire team needs to consider security at each stage of your pipeline. Automation tools, like Liquibase, can help remove the element of human error at multiple places throughout your process.

Liquibase for DevSecOps

Liquibase makes database change automation easy so that database changes don’t become a bottleneck. Here are some examples of what Liquibase does to promote good DevSecOps practices:

Works well with secure password automation tools
Enables easy traceability of changes through versioned artifacts
Enables granular change management with changelogs and changesets
Uses metadata to control deployment behavior from automation tools with labels, contexts, and preconditions
Compares different database states and easily allows for automated alerts if an unexpected state is found
Provides instant validation of database code based on rules set by your DBA and security teams that is available to developers on demand or can be implemented as a build step in automation

Automation for controlling database access

No one should be able to individually log into the database with elevated privileges. Automated tools that can retrieve credentials from secrets management repositories or “vaults” should always be used so that it logs the triggering of the event, the event itself, the contents of the change, and you have a solid traceability history.

If someone does need direct, individual access to a database with elevated privileges, they can get it. But this should be treated as an exception with proper notifications and alerts in place. It should not be done individually or invisibly.

Secure access

Liquibase works with secure password automation tools like CyberArk, HashCorp Vault, and Oracle Wallet. Many CI/CD tools such as Jenkins, UCD, Azure DevOps, and others allow for securely storing credentials and retrieving them at runtime.

Learn More

Eliminate manual reviews & manual work

In order to reduce database errors that may cause security vulnerabilities, it’s important to eliminate manual reviews and manual rework of database changes. According to an analysis by CybSafe of data from the UK Information Commissioner’s Office (ICO), human error was the cause of approximately 90% of data breaches in 2019.

Automation can help ensure that only good, secure SQL changes get put into your database. Shifting these automated checks left is not only good for ensuring consistency and quality, but it’s also great for reducing rework and improving the overall flow through your pipeline.

Enforce rules

Liquibase offers quality checks for on-demand database code validation. Rules are put in place by DBAs and security teams to ensure database code is safe and compliant before it ever gets to production. Your team can process different types of rules and choose how you’d like the system to automatically handle them.

Learn More About Quality Checks

"Liquibase helps us standardize our overall release process, reduces human errors, and improves code quality. That means we are able to deliver innovation to our customers faster with reduced operational cost and risk."

Russell Webster VP and Senior Manager of Delivery Tools & Services  – Zions Bancorporation

Protect against malware with drift detection

There are some database-related attacks that create objects in databases (the most worrisome malicious objects are stored logic types). You can’t see them unless you’re specifically looking for them. Liquibase can inspect databases and compare them against an expected state. Drift detection is incredibly helpful from a security standpoint. If you have the database configuration locked to a specific secure channel, there should never be a variance between the database as it sits and its expected state. If there is variance, then there has been, by definition, a security violation. Detecting this quickly and reliably is important. Liquibase can detect drift by using snapshots and diff functionality when set up in automation.

Automatically detect differences between database states

Automate your process using Liquibase to take a snapshot after every database deployment, put it in version control, and regularly compare your databases. You can set up alerts if the states of the databases don’t match so your team can promptly investigate potential issues.

Detect Changes to Improve Security

WHITE PAPER

Database Compliance in a CI/CD World

Download for Free

Editions

Compare

Use Cases

Industries

Technology

Liquibase University

Connect with the Community

Contact Us

News

[Release] Download Liquibase Pro 4.26.0 for more flexibility, control & observability

Progressive DevOps culture: How Liquibase’s VP of Engineering balances autonomy with impact

Introducing simpler ways to install & manage Liquibase

Solving NoSQL database governance and compliance challenges with CI/CD

Database automation: The DBA’s DevOps dilemma

Database DevOps built with security & speed