Cloud-Native Engineering & DevSecOps
Cloud infrastructure, CI/CD, security-by-design, and site reliability on AWS and Azure.
Overview
GoSource has built and operated cloud-native solutions since 2013, before “cloud-native” was a buzzword. Nearly every system we have delivered runs on AWS or Azure. We built our own Infrastructure as Code framework (Hamlet / CodeOnTap) years before the market delivered mature IaC tools. That deep understanding of IaC internals means we don’t just use these tools — we understand where they break and how to design infrastructure definitions that stay maintainable at scale.
We are an AWS Gold Partner with roughly 50/50 experience across AWS and Azure, including Azure for Australian Government and Protected tenancies. Given a choice we prefer AWS for its cost efficiency and breadth of PaaS services, but we deliver confidently on either.
How We Deliver
PaaS-First Architecture
We prefer managed platform services wherever practical, reducing operational complexity and improving resilience:
| Concern | PaaS Preference | IaaS Fallback |
|---|---|---|
| Compute | AWS Fargate / Azure Container Apps | ECS on EC2 / Azure VMs |
| Database (SQL) | AWS RDS / Azure SQL Database | Self-managed PostgreSQL |
| Database (Document) | AWS DocumentDB / Azure Cosmos DB | Self-managed MongoDB |
| Object Storage | AWS S3 / Azure Blob Storage | — |
| Message Streaming | AWS Kinesis / Azure Event Hubs | Self-managed Kafka/Pulsar |
| Workflow | AWS Step Functions | Self-managed Temporal |
| Monitoring | AWS CloudWatch / Azure Monitor | Prometheus + Grafana |
| CDN / Edge | AWS CloudFront / Azure Front Door | — |
PaaS services handle patching, scaling, backups, and failover automatically, freeing the team to deliver business value rather than manage infrastructure.
Infrastructure as Code
All infrastructure is defined in version-controlled code and deployed through automated pipelines. Nothing is configured by hand in a console.
| Tool | Use Case |
|---|---|
| Pulumi | Preferred general-purpose IaC in Python or TypeScript, supporting multi-cloud |
| Terraform | Declarative IaC where client ecosystems favour it |
| AWS CDK | AWS-specific projects benefiting from native constructs |
| Azure Bicep | Azure-native projects and APO environments |
Every solution is deployable to the developer’s local environment (Docker Compose) and promoted through integration, pre-production, and production using the same IaC definitions.
Security by Design
Security is embedded at every layer, not bolted on before go-live:
- Network: VPC isolation, private subnets for data stores, services behind load balancers and WAFs.
- Identity: OAuth2/SAML authentication, RBAC with least privilege, MFA for privileged roles.
- Data: Encryption at rest (KMS / Key Vault) and in transit (TLS 1.3). No secrets in code.
- Pipeline: SAST (SonarQube) and DAST (OWASP ZAP) integrated into CI/CD. Dependency vulnerability scanning on every build.
- Monitoring: GuardDuty / Azure Defender for threat detection. Automated alerting via PagerDuty.
CI/CD
Every project follows the same automated release process from developer commit through to production, with quality gates at every stage. Our agile delivery practice describes the full sprint and release cycle. On mature projects such as National Parks, this pipeline has supported over 200 production releases with zero failures.
Principles
- Everything as code. Infrastructure, configuration, monitoring rules, and deployment pipelines are all version-controlled. Any environment can be rebuilt from scratch.
- PaaS over IaaS. Managed services shift operational burden to the cloud provider, improve resilience, and simplify site reliability engineering.
- No vendor lock-in. We prefer open-source and cloud-agnostic tools where practical. Clients have full access to all infrastructure code.
Policy Alignment
- ACSC Essential Eight — Automated patching through PaaS, application control through containerisation, restricted admin privileges, MFA enforcement, automated backups.
- AWS Well-Architected Framework — All six pillars applied through IaC, automated monitoring, and PaaS-first design.
- OWASP Top 10 — SAST/DAST in pipelines, input validation, secure API design, dependency scanning.
Evidence
- Case Study: National Parks e-Ticketing — Cloud-native AWS platform since 2015, 200+ zero-failure releases, 99.999% availability.
- Case Study: DAFF Application Maintenance — 8 systems on AWS; WAF neutralised 141,879 threats in a single month with zero breaches.
- Case Study: COVIDSafe — Back-end portal built on AWS in weeks, security-hardened with ACSC collaboration.
- Case Study: Medical Cost Finder — MVP to mature cloud-native platform on Azure over multiple years, 47 production releases.
- Staff: Kseniya Shychko — DevOps lead; developer of Hamlet/CodeOnTap IaC platform.
- Staff: Girish Patil — IaC expertise with Pulumi; contributor to GoSource Pulumi open-source library.
Tools & Technologies
- Infrastructure as Code: Pulumi (preferred), Terraform, AWS CDK, Azure Bicep
- CI/CD: GitHub Actions, AWS CodePipeline, Azure DevOps Pipelines
- Containerisation: Docker, Docker Compose, AWS ECS/Fargate, Kubernetes
- Cloud Platforms: AWS (Gold Partner), Microsoft Azure (including APO)
- Security: SonarQube, OWASP ZAP, AWS Inspector, GuardDuty, Security Hub
- Testing: pytest, Jest, Cucumber/Gherkin, Playwright, Postman/Newman, Locust