DevOps Teams Struggle with Cryptographic Security
May 09, 2017

Tim Bedard

DevOps teams bring significant benefits to their organizations. From product efficiency to innovation, a mature DevOps program can be a competitive asset for enterprises. Unfortunately, DevOps teams, like many business programs, tend to believe innovation must come with a detriment to security. Security measures are often seen as obstacles that impact the agility that DevOps teams rely on.

Cryptographic assets, such as keys and certificates, are especially important to DevOps teams; however, their security is often lax. Cyber attackers can target DevOps teams' certificates and misuse them to create a tunnel to hide in an organization's encrypted traffic. These kinds of attacks are on the rise; for example, a recent report from A10 Networks revealed that 41% of cyber attacks used encryption to evade detection

So, how are DevOps teams handling cryptographic security risks? Venafi recently conducted a study that analyzed the cryptographic security controls used by DevOps teams. The study polled over 430 IT professionals who are responsible of the cryptographic assets of their company's DevOps programs. Unfortunately, the study revealed that most DevOps teams do not consistently implement basic certificate security.

On a positive note, most DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates. However, they clearly are not translating this awareness into meaningful protection. This kind of inaction may leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.

These issues were especially acute among organizations that were just beginning to adopt DevOps practices. However, even organizations that said their DevOps program were mature often enforced only the most basic security procedures designed to protect cryptographic keys and digital certificates.

Interesting highlights from our survey included:

■ The vast majority (82%) of respondents from organizations with mature DevOps practices say corporate key and certificate policies are enforced consistently. In organizations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.

■ In mature DevOps organizations, almost two-thirds (62%) of DevOps teams consistently replace development and test certificates with production certificates when code rolled into production. In organizations that are adopting DevOps practices, only a bit over one-third (36%) followed this critical best practice. If certificates are not changed, there is no automated way to distinguish between the identities of trusted machines that are safe to place in production and untested machines that should remain in development.

■ 89% of respondents with mature DevOps practices say their DevOps teams are aware of the security controls necessary to protect their organizations from attacks that leverage compromised keys and certificates; in organizations adopting DevOps only 56% believe their teams are aware of these controls.

■ 80% of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates. Self-signed certificates can be issued quickly, however they can make it difficult to uniquely identify the machines that can be trusted.

■ Key reuse is a widespread problem: 68% of mature DevOps respondents and 79% of adopting respondents say they allow key re-use. While key re-use saves development time, if a cyber criminal is able to gain access to a key they will automatically gain access to any other environment or application where the key is used.

Overall, DevOps teams are driven by accelerated application development, fast innovation and continuous releases. Hitting the production SLA is the primary thing on a developer's mind; security is the second, third, fourth, tenth thought or concern. While security is important and they are aware of it, it is all about fast development, innovation and releases.

DevOps teams must make sure their machine identities are properly protected. Cyber criminals can not only exploit SSL/TLS keys and certificates, but can also misappropriate SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.

Ultimately, our study reveals that security and DevOps can no longer exist separately. Both teams want their organization to succeed and they can use machine identity protection to remain innovative, and safe, in the future.

Tim Bedard is Director of Threat Intelligence and Analytics for Venafi

The Latest

March 19, 2018

The global DevOps market size is expected to reach USD 12.85 billion by 2025, according to a new study by Grand View Research, registering an 18.60% CAGR during the forecast period ...

March 15, 2018

More than half of companies (52%) admit to cutting back on security measures to meet a business deadline or objective, according to a SecOps research report released by Threat Stack ...

March 13, 2018

While microservices can certainly be used for greenfield projects, the survey suggests that this is not the sole source of value. In fact, more than half of respondents indicate that they are also using microservices to re-architect existing projects. The reality we see is that microservices can offer value to users along their IT transformation journey — whether they are just looking to update their current application portfolio or are gearing up for new initiatives ...

March 12, 2018

As DevOps teams and developers are looking to make 2018 the year in which technical crises are avoided, continuous testing should be at the top of their resolutions list. Here are four steps developers and DevOps teams can take to ensure the benefits of continuous testing are effectively implemented throughout the development process ...

March 08, 2018

Digital leaders will outpace their rivals by adopting methodologies and mindsets that shorten software delivery cycles. They'll also get really, really good at rapid, iterative change following design thinking principles ...

March 06, 2018

There are six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments, and there are also some best practices companies can use to address those pain points ...

March 05, 2018

With more than 30 Kubernetes solutions in the marketplace, it's tempting to think Kubernetes and the vendor ecosystem has solved the problem of operationalizing containers at scale. Far from it. There are six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments, and there are also some best practices companies can use to address those pain points ...

March 01, 2018

With the growing adoption of tablets and smartphones, companies are constantly seeking new web technologies that support multiple device types in addition to traditional desktops. At the same time, they are continually adding capabilities to their web applications that help users visualize and analyze data regardless of the platform or device used. To keep up in this changing technology environment, organizations must deliver these complex applications quickly, with high quality, and yet find ways to maximize their investment in these apps over the long haul ...

February 27, 2018

While most organizations are committed to the full adoption of both agile and DevOps, many are struggling with key challenges and missing out on the extensive benefits these practices can have on their bottom line, according to a global study by CA Technologies ...

February 26, 2018

To help understand the current state of development trends, Dimensional Research and Micro Focus worked together to create the, Managing the migration to DevOps: A global survey of software developers report. The research shows that nearly all organizations are already adopting or are taking a strong interest in the processes necessary to implement DevOps. But, there are challenges to overcome as companies because they are often running both traditional waterfall and DevOps development and release processes in tandem — and plan to support both into the future ...

Share this