DevOps Teams Struggle with Cryptographic Security
May 09, 2017

Tim Bedard
Venafi

DevOps teams bring significant benefits to their organizations. From product efficiency to innovation, a mature DevOps program can be a competitive asset for enterprises. Unfortunately, DevOps teams, like many business programs, tend to believe innovation must come with a detriment to security. Security measures are often seen as obstacles that impact the agility that DevOps teams rely on.

Cryptographic assets, such as keys and certificates, are especially important to DevOps teams; however, their security is often lax. Cyber attackers can target DevOps teams' certificates and misuse them to create a tunnel to hide in an organization's encrypted traffic. These kinds of attacks are on the rise; for example, a recent report from A10 Networks revealed that 41% of cyber attacks used encryption to evade detection

So, how are DevOps teams handling cryptographic security risks? Venafi recently conducted a study that analyzed the cryptographic security controls used by DevOps teams. The study polled over 430 IT professionals who are responsible of the cryptographic assets of their company's DevOps programs. Unfortunately, the study revealed that most DevOps teams do not consistently implement basic certificate security.

On a positive note, most DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates. However, they clearly are not translating this awareness into meaningful protection. This kind of inaction may leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.

These issues were especially acute among organizations that were just beginning to adopt DevOps practices. However, even organizations that said their DevOps program were mature often enforced only the most basic security procedures designed to protect cryptographic keys and digital certificates.

Interesting highlights from our survey included:

■ The vast majority (82%) of respondents from organizations with mature DevOps practices say corporate key and certificate policies are enforced consistently. In organizations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.

■ In mature DevOps organizations, almost two-thirds (62%) of DevOps teams consistently replace development and test certificates with production certificates when code rolled into production. In organizations that are adopting DevOps practices, only a bit over one-third (36%) followed this critical best practice. If certificates are not changed, there is no automated way to distinguish between the identities of trusted machines that are safe to place in production and untested machines that should remain in development.

■ 89% of respondents with mature DevOps practices say their DevOps teams are aware of the security controls necessary to protect their organizations from attacks that leverage compromised keys and certificates; in organizations adopting DevOps only 56% believe their teams are aware of these controls.

■ 80% of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates. Self-signed certificates can be issued quickly, however they can make it difficult to uniquely identify the machines that can be trusted.

■ Key reuse is a widespread problem: 68% of mature DevOps respondents and 79% of adopting respondents say they allow key re-use. While key re-use saves development time, if a cyber criminal is able to gain access to a key they will automatically gain access to any other environment or application where the key is used.

Overall, DevOps teams are driven by accelerated application development, fast innovation and continuous releases. Hitting the production SLA is the primary thing on a developer's mind; security is the second, third, fourth, tenth thought or concern. While security is important and they are aware of it, it is all about fast development, innovation and releases.

DevOps teams must make sure their machine identities are properly protected. Cyber criminals can not only exploit SSL/TLS keys and certificates, but can also misappropriate SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.

Ultimately, our study reveals that security and DevOps can no longer exist separately. Both teams want their organization to succeed and they can use machine identity protection to remain innovative, and safe, in the future.

Tim Bedard is Director of Threat Intelligence and Analytics for Venafi

The Latest

July 25, 2017

Test teams feel the need to adopt DevOps, but that migration is not always seamless, according to a new survey by LogiGear. That may be because 25 percent of respondents said their Ops/IT team is always helpful to the test team and its needs; 37 percent said Ops teams regularly help bring about good test environments; 27 percent said Ops can be "slow or difficult" ...

July 24, 2017

SecOps is a seamless collaboration between your IT security and IT operations teams. The goal is to streamline security processes, and ensure that every piece of code that makes it into production is as secure as possible. If you've ever thought of revamping your company's current security operations to make it more agile, or if you've been thinking about building out a SecOps function, here are 5 tips you should keep in mind ...

July 20, 2017

Financial services organizations are high value targets for cyber criminals all over the world. Because of this, it is imperative that the keys and certificates used by financial service DevOps teams are properly protected. If not, bad actors can easily exploit cryptographic assets and wreak havoc on sensitive corporate data, all while remaining undetected ...

July 18, 2017

In the last year, businesses around the globe significantly increased their use of open source and although they readily acknowledge growing concerns about open source-related security and operational risks, the effective management of open source is not keeping pace with the increase in use ...

July 17, 2017

A Forrester survey confirmed what high-performance organizations have already said – DevOps is here to stay. Diving into the details, however, the study also shows that the DevOps journey may be in for a rude awakening. Companies in all industries are embracing DevOps for superior productivity, but many organizations struggle to overcome barriers that prevent them from translating these programs into improved business results ...

July 14, 2017

Despite the pervasive belief that security and development teams have conflicting priorities, initiatives such as creating DevOps environments and focusing on product innovation have the two teams aligned toward a common goal of creating secure software, according to a new study from Veracode ...

July 12, 2017

Gartner, Inc. highlighted the top technologies for information security and their implications for security organizations in 2017 ...

July 10, 2017

DevOps practices lead to higher IT performance, according to the 2017 State of DevOps report This higher performance delivers improved business outcomes, as measured by productivity, profitability, and market share ...

June 28, 2017

Why Agile? DEVOPSdigest asked the experts for their opinions on what are the most important advantages of being Agile. Part 5, the final installment, covers how Agile improves product quality and the customer experience ...

June 26, 2017

Why Agile? DEVOPSdigest asked the experts for their opinions on what are the most important advantages of being Agile. Part 4 covers how Agile impacts team productivity ...

Share this