The DevOpportunity: Prioritizing Security
May 02, 2018

John Walsh
CyberArk

It wasn't long ago when operations, development and security teams didn't talk to each other – and probably sat at different lunch tables in the cafeteria.

Fortunately, when it comes to operations and development, DevOps has changed the traditional compartmentalized style of development by eliminating silos. These teams recognize that operational considerations need to be factored into development decisions from the very beginning, and vice versa to achieve optimal performance.

But what about the security team? Security is largely still siloed from operations and development. No doubt, many DevOps teams have some security controls baked into their automation processes, but a recent survey shows there are still alarming gaps.

Survey Says: The Secret is Out

According to the 2018 CyberArk Global Advanced Threat Landscape report, fewer than half of DevOps survey respondents said DevOps and security teams are well integrated and 41 percent say security teams are only brought in at the end of the development cycle. It's hard to defend the notion that security is built into the DevOps process when most organizations admit that DevOps and security teams are not well integrated.

And while development and operations teams can be expected to be knowledgeable about security to a certain point, it is unreasonable to expect them to have the level of security expertise that security teams have acquired through years of experience. The lack of maturity when it comes to DevOps security is made apparent throughout the report.

Many DevOps teams run automatic vulnerability scans or take other measures to eliminate the low hanging security fruit. This is a great first step, but 75 percent of organizations reported they have no privileged account security strategy for DevOps. Even worse, 99 percent of respondents failed to identify the different places privileged accounts or secrets could exist in a DevOps environment.

Privileged accounts, secrets and credentials equal access to an organization's data and infrastructure. With this access, an attacker can impersonate anyone within the organization and take almost anything they want.

Infrastructure-as-code is the engine that fuels DevOps velocity. However, it also means that everything a DevOps team has done, institutional know-how and intellectual property can be more easily stolen.

Making the Case for DevOps Security

Attackers will exploit organizations where they are weak, making unsecured and unmanaged "secrets" – including privileged account credentials, SSH Keys, API keys and more – a new favorite target for attackers.

These secrets are often hardcoded in clear text or publicly accessible, making DevOps a massive security risk to organizations. Attackers know this and are currently exploiting these vulnerabilities and scanning for exposed SSH keys across the internet.

Bottom line – DevOps has changed the game in terms of productivity, but security needs to be a part of the journey. The move from waterfall to agile development has taught us the most efficient time to make a change is at the beginning of the process, which is true of security too.

Security teams need to be included in the DevOps process from the beginning to reduce the cost of changes made later on. Security tools have evolved over time to meet DevOps security teams and not to disrupt DevOps flow or velocity. Any credible security solution will need the ability to be automated and have a small, if not invisible, footprint on DevOps teams.

John Walsh is a Tech Evangelist at CyberArk
Share this

Industry News

October 17, 2019

Acquia announced the availability of its new Developer Studio, a suite of tools designed to improve the productivity of Drupal developers.

October 17, 2019

Talend announced Talend Cloud is now available on Microsoft Azure, offering a secure and scalable Integration Platform-as-a-Service for collecting, transforming and cleaning data.

With embedded data quality and native integration performance, Talend Cloud on Microsoft Azure delivers the trusted data companies need to make real-time business decisions, accelerate advanced analytics, and meet regulatory compliance requirements.

October 17, 2019

Cognizant entered into an agreement to acquire Contino, a privately-held technology consulting firm.

October 16, 2019

Red Hat announced Red Hat OpenShift 4.2, the latest version of Red Hat’s enterprise Kubernetes platform designed to deliver a more powerful developer experience.

October 16, 2019

Gluware announced Gluware Automation v3.6, which extends the platform API capabilities including integrations with the Mist and Ansible platforms and introduces lifecycle management and infrastructure integration enhancements.

October 16, 2019

XebiaLabs announced that Wipro has renewed and extended its partnership with XebiaLabs as their Strategic Enterprise DevOps Partner across the globe.

October 15, 2019

Puppet announced enhancements to its current product portfolio and the public beta of a new project focused on providing a simplified continuous deployment workflow.

October 15, 2019

DBmaestro expanded its database automation platform to enable CI/CD and release automation for MySQL, MariaDB and Amazon RDS with DBmaestro DevOps Platform v2019.4.

October 15, 2019

Radware announced the launch of Radware Kubernetes Web Application Firewall (WAF), a comprehensive and highly scalable application security solution for Kubernetes-based environments.

October 10, 2019

CloudBees launched a new partner program that expands ISV partners’ ability to align with CloudBees offerings and the global Jenkins community.

October 08, 2019

Nureva announced a key update to the Jira Software integration with Span Workspace, Nureva’s cloud-based digital canvas for visual planning and collaboration.

October 08, 2019

Fugue announced support for Open Policy Agent (OPA), an open source general-purpose policy engine and language for cloud infrastructure.

October 03, 2019

Redgate announced the launch of SQL Compare v14, the latest version of its industry standard tool for quickly and accurately comparing and deploying SQL Server databases.

October 03, 2019

Harness announced the release of Continuous Insights, a new capability of its CD platform that enables organizations to see clearly into software delivery performance across their engineering and development teams without needing to manually collect, correlate, and report metrics that might take days or weeks.

October 03, 2019

OutSystems and Workato announced a partnership aimed at allowing organizations to rapidly realize innovation, time to value, productivity, and mission-critical objectives through readily available application connectors.