DevOps Teams Struggle with Cryptographic Security
May 09, 2017

Tim Bedard
Venafi

DevOps teams bring significant benefits to their organizations. From product efficiency to innovation, a mature DevOps program can be a competitive asset for enterprises. Unfortunately, DevOps teams, like many business programs, tend to believe innovation must come with a detriment to security. Security measures are often seen as obstacles that impact the agility that DevOps teams rely on.

Cryptographic assets, such as keys and certificates, are especially important to DevOps teams; however, their security is often lax. Cyber attackers can target DevOps teams' certificates and misuse them to create a tunnel to hide in an organization's encrypted traffic. These kinds of attacks are on the rise; for example, a recent report from A10 Networks revealed that 41% of cyber attacks used encryption to evade detection

So, how are DevOps teams handling cryptographic security risks? Venafi recently conducted a study that analyzed the cryptographic security controls used by DevOps teams. The study polled over 430 IT professionals who are responsible of the cryptographic assets of their company's DevOps programs. Unfortunately, the study revealed that most DevOps teams do not consistently implement basic certificate security.

On a positive note, most DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates. However, they clearly are not translating this awareness into meaningful protection. This kind of inaction may leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.

These issues were especially acute among organizations that were just beginning to adopt DevOps practices. However, even organizations that said their DevOps program were mature often enforced only the most basic security procedures designed to protect cryptographic keys and digital certificates.

Interesting highlights from our survey included:

■ The vast majority (82%) of respondents from organizations with mature DevOps practices say corporate key and certificate policies are enforced consistently. In organizations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.

■ In mature DevOps organizations, almost two-thirds (62%) of DevOps teams consistently replace development and test certificates with production certificates when code rolled into production. In organizations that are adopting DevOps practices, only a bit over one-third (36%) followed this critical best practice. If certificates are not changed, there is no automated way to distinguish between the identities of trusted machines that are safe to place in production and untested machines that should remain in development.

■ 89% of respondents with mature DevOps practices say their DevOps teams are aware of the security controls necessary to protect their organizations from attacks that leverage compromised keys and certificates; in organizations adopting DevOps only 56% believe their teams are aware of these controls.

■ 80% of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates. Self-signed certificates can be issued quickly, however they can make it difficult to uniquely identify the machines that can be trusted.

■ Key reuse is a widespread problem: 68% of mature DevOps respondents and 79% of adopting respondents say they allow key re-use. While key re-use saves development time, if a cyber criminal is able to gain access to a key they will automatically gain access to any other environment or application where the key is used.

Overall, DevOps teams are driven by accelerated application development, fast innovation and continuous releases. Hitting the production SLA is the primary thing on a developer's mind; security is the second, third, fourth, tenth thought or concern. While security is important and they are aware of it, it is all about fast development, innovation and releases.

DevOps teams must make sure their machine identities are properly protected. Cyber criminals can not only exploit SSL/TLS keys and certificates, but can also misappropriate SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.

Ultimately, our study reveals that security and DevOps can no longer exist separately. Both teams want their organization to succeed and they can use machine identity protection to remain innovative, and safe, in the future.

Tim Bedard is Director of Threat Intelligence and Analytics for Venafi
Share this

Industry News

September 05, 2024

Red Hat announced the general availability of Red Hat Enterprise Linux (RHEL) AI across the hybrid cloud.

September 05, 2024

Jitterbit announced its unified AI-infused, low-code Harmony platform.

September 05, 2024

Akuity announced the launch of KubeVision, a feature within the Akuity Platform.

September 05, 2024

Couchbase announced Capella Free Tier, a free developer environment designed to empower developers to evaluate and explore products and test new features without time constraints.

September 04, 2024

Amazon Web Services, Inc. (AWS), an Amazon.com, Inc. company, announced the general availability of AWS Parallel Computing Service, a new managed service that helps customers easily set up and manage high performance computing (HPC) clusters so they can run scientific and engineering workloads at virtually any scale on AWS.

September 04, 2024

Dell Technologies and Red Hat are bringing Red Hat Enterprise Linux AI (RHEL AI), a foundation model platform built on an AI-optimized operating system that enables users to more seamlessly develop, test and deploy artificial intelligence (AI) and generative AI (gen AI) models, to Dell PowerEdge servers.

September 04, 2024

Couchbase announced that Couchbase Mobile is generally available with vector search, which makes it possible for customers to offer similarity and hybrid search in their applications on mobile and at the edge.

September 04, 2024

Seekr announced the launch of SeekrFlow as a complete end-to-end AI platform for training, validating, deploying, and scaling trusted enterprise AI applications through an intuitive and simple to use web user interface (UI).

September 03, 2024

Check Point® Software Technologies Ltd. unveiled its innovative Portal designed for both managed security service providers (MSSPs) and distributors.

September 03, 2024

Couchbase officially launched Capella™ Columnar on AWS, which helps organizations streamline the development of adaptive applications by enabling real-time data analysis alongside operational workloads within a single database platform.

September 03, 2024

Mend.io unveiled the Mend AppSec Platform, a solution designed to help businesses transform application security programs into proactive programs that reduce application risk.

September 03, 2024

Elastic announced that it is adding the GNU Affero General Public License v3 (AGPL) as an option for users to license the free part of the Elasticsearch and Kibana source code that is available under Server Side Public License 1.0 (SSPL 1.0) and Elastic License 2.0 (ELv2).

August 29, 2024

Progress announced the latest release of Progress® Semaphore™, its metadata management and semantic AI platform.

August 29, 2024

Elastic, the Search AI Company, announced the Elasticsearch Open Inference API now integrates with Anthropic, providing developers with seamless access to Anthropic’s Claude, including Claude 3.5 Sonnet, Claude 3 Haiku and Claude 3 Opus, directly from their Anthropic account.