DevOps Teams Struggle with Cryptographic Security
May 09, 2017

Tim Bedard
Venafi

DevOps teams bring significant benefits to their organizations. From product efficiency to innovation, a mature DevOps program can be a competitive asset for enterprises. Unfortunately, DevOps teams, like many business programs, tend to believe innovation must come with a detriment to security. Security measures are often seen as obstacles that impact the agility that DevOps teams rely on.

Cryptographic assets, such as keys and certificates, are especially important to DevOps teams; however, their security is often lax. Cyber attackers can target DevOps teams' certificates and misuse them to create a tunnel to hide in an organization's encrypted traffic. These kinds of attacks are on the rise; for example, a recent report from A10 Networks revealed that 41% of cyber attacks used encryption to evade detection

So, how are DevOps teams handling cryptographic security risks? Venafi recently conducted a study that analyzed the cryptographic security controls used by DevOps teams. The study polled over 430 IT professionals who are responsible of the cryptographic assets of their company's DevOps programs. Unfortunately, the study revealed that most DevOps teams do not consistently implement basic certificate security.

On a positive note, most DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates. However, they clearly are not translating this awareness into meaningful protection. This kind of inaction may leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.

These issues were especially acute among organizations that were just beginning to adopt DevOps practices. However, even organizations that said their DevOps program were mature often enforced only the most basic security procedures designed to protect cryptographic keys and digital certificates.

Interesting highlights from our survey included:

■ The vast majority (82%) of respondents from organizations with mature DevOps practices say corporate key and certificate policies are enforced consistently. In organizations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.

■ In mature DevOps organizations, almost two-thirds (62%) of DevOps teams consistently replace development and test certificates with production certificates when code rolled into production. In organizations that are adopting DevOps practices, only a bit over one-third (36%) followed this critical best practice. If certificates are not changed, there is no automated way to distinguish between the identities of trusted machines that are safe to place in production and untested machines that should remain in development.

■ 89% of respondents with mature DevOps practices say their DevOps teams are aware of the security controls necessary to protect their organizations from attacks that leverage compromised keys and certificates; in organizations adopting DevOps only 56% believe their teams are aware of these controls.

■ 80% of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates. Self-signed certificates can be issued quickly, however they can make it difficult to uniquely identify the machines that can be trusted.

■ Key reuse is a widespread problem: 68% of mature DevOps respondents and 79% of adopting respondents say they allow key re-use. While key re-use saves development time, if a cyber criminal is able to gain access to a key they will automatically gain access to any other environment or application where the key is used.

Overall, DevOps teams are driven by accelerated application development, fast innovation and continuous releases. Hitting the production SLA is the primary thing on a developer's mind; security is the second, third, fourth, tenth thought or concern. While security is important and they are aware of it, it is all about fast development, innovation and releases.

DevOps teams must make sure their machine identities are properly protected. Cyber criminals can not only exploit SSL/TLS keys and certificates, but can also misappropriate SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.

Ultimately, our study reveals that security and DevOps can no longer exist separately. Both teams want their organization to succeed and they can use machine identity protection to remain innovative, and safe, in the future.

Tim Bedard is Director of Threat Intelligence and Analytics for Venafi

The Latest

October 19, 2017

In light of the recent Equifax breach, Gene Kim and speakers from the upcoming DevOps Enterprise Summit San Francisco (DOES17) dissected the situation and discussed the technical leadership lessons learned while offering their own expert advice for handling crisis situations. The following are more highlights from the discussion ...

October 18, 2017

In light of the recent Equifax breach, Gene Kim and speakers from the upcoming DevOps Enterprise Summit San Francisco (DOES17) dissected the situation and discussed the technical leadership lessons learned while offering their own expert advice for handling crisis situations ...

October 16, 2017

A survey of more than 750 development team leaders in the US and UK, revealed that 68 percent plan to build more apps during the next 12 months. At the same time as reporting increased volumes of development, 91 percent of developers surveyed agree that user expectations for innovation and quality have increased, but app deliveries continue to fail ...

October 12, 2017

Today, organizations must digitally evolve or they risk becoming irrelevant. One area that’s been growing in adoption is a shift to developing and deploying modern applications in the cloud, which requires software and IT architects to rethink how to architect and manage these apps ...

October 10, 2017

Designing and deploying complete software-defined data centers (SDDCs) can be complicated because each implementation requires a broad range of infrastructure to support heavy demands for compute, networking, storage, applications and security ...

October 05, 2017

According to LogiGear's State of Software Testing Survey, almost one-third of the respondents are experiencing classic test automation issues. One problem commonly cited among respondents was that management didn’t fully understand what it takes to have a successful automation program ...

October 04, 2017

Load balancing at the DNS (Domain Name System) level has been around for a few decades now, but it didn't become crucial until recently as technology is moving to the cloud. DNS is the perfect solution for managing cloud systems ...

October 02, 2017

QualiTest recently compiled a data report analyzing software testers globally. The report details the Quality Assurance and Software Testing job market, one of the fastest growing job markets and a bellwether of tech employment due to QA's involved in nearly every conceivable industry ...

September 28, 2017

API use is exploding among developers, as APIs are an essential part of software development for the web, IoT, mobile and AI applications. APIs allow a developer to create programs or apps that can successfully request services or data from other applications or operating system. This connectivity, though powerful, is complex, and that complexity grows with new apps, new hardware such as the new iPhone and Echo, and the creation of new APIs ...

September 26, 2017

Companies are placing a greater value on high performing IT professionals as IT demands continue to escalate, according to Puppet's DevOps Salary Report ...

Share this