DevOps Teams Struggle with Cryptographic Security
May 09, 2017

Tim Bedard
Venafi

DevOps teams bring significant benefits to their organizations. From product efficiency to innovation, a mature DevOps program can be a competitive asset for enterprises. Unfortunately, DevOps teams, like many business programs, tend to believe innovation must come with a detriment to security. Security measures are often seen as obstacles that impact the agility that DevOps teams rely on.

Cryptographic assets, such as keys and certificates, are especially important to DevOps teams; however, their security is often lax. Cyber attackers can target DevOps teams' certificates and misuse them to create a tunnel to hide in an organization's encrypted traffic. These kinds of attacks are on the rise; for example, a recent report from A10 Networks revealed that 41% of cyber attacks used encryption to evade detection

So, how are DevOps teams handling cryptographic security risks? Venafi recently conducted a study that analyzed the cryptographic security controls used by DevOps teams. The study polled over 430 IT professionals who are responsible of the cryptographic assets of their company's DevOps programs. Unfortunately, the study revealed that most DevOps teams do not consistently implement basic certificate security.

On a positive note, most DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates. However, they clearly are not translating this awareness into meaningful protection. This kind of inaction may leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.

These issues were especially acute among organizations that were just beginning to adopt DevOps practices. However, even organizations that said their DevOps program were mature often enforced only the most basic security procedures designed to protect cryptographic keys and digital certificates.

Interesting highlights from our survey included:

■ The vast majority (82%) of respondents from organizations with mature DevOps practices say corporate key and certificate policies are enforced consistently. In organizations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.

■ In mature DevOps organizations, almost two-thirds (62%) of DevOps teams consistently replace development and test certificates with production certificates when code rolled into production. In organizations that are adopting DevOps practices, only a bit over one-third (36%) followed this critical best practice. If certificates are not changed, there is no automated way to distinguish between the identities of trusted machines that are safe to place in production and untested machines that should remain in development.

■ 89% of respondents with mature DevOps practices say their DevOps teams are aware of the security controls necessary to protect their organizations from attacks that leverage compromised keys and certificates; in organizations adopting DevOps only 56% believe their teams are aware of these controls.

■ 80% of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates. Self-signed certificates can be issued quickly, however they can make it difficult to uniquely identify the machines that can be trusted.

■ Key reuse is a widespread problem: 68% of mature DevOps respondents and 79% of adopting respondents say they allow key re-use. While key re-use saves development time, if a cyber criminal is able to gain access to a key they will automatically gain access to any other environment or application where the key is used.

Overall, DevOps teams are driven by accelerated application development, fast innovation and continuous releases. Hitting the production SLA is the primary thing on a developer's mind; security is the second, third, fourth, tenth thought or concern. While security is important and they are aware of it, it is all about fast development, innovation and releases.

DevOps teams must make sure their machine identities are properly protected. Cyber criminals can not only exploit SSL/TLS keys and certificates, but can also misappropriate SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.

Ultimately, our study reveals that security and DevOps can no longer exist separately. Both teams want their organization to succeed and they can use machine identity protection to remain innovative, and safe, in the future.

Tim Bedard is Director of Threat Intelligence and Analytics for Venafi
Share this

Industry News

October 06, 2022

Platform.sh announced it has partnered with MongoDB.

October 06, 2022

Veracode announced the enhancement of its Continuous Software Security Platform to include container security.

This early access program for Veracode Container Security is now underway for existing customers.

The new Veracode Container Security offering, designed to meet the needs of cloud-native software engineering teams, addresses vulnerability scanning, secure configuration, and secrets management requirements for container images.

October 06, 2022

Mirantis announced that Mirantis Container Runtime – latest generation of the Docker Enterprise Engine, the secure container runtime that forms the foundation of Mirantis Container Cloud and Mirantis Kubernetes Engine and is used at the heart of many other Kubernetes deployments – is now available in the Microsoft Azure Marketplace.

October 05, 2022

Perforce Software announced enhanced support for automated testing with the release of Helix ALM 2022.2.

October 05, 2022

Parasoft announced the latest releases of its API and microservices testing tools, including SOAtest, Virtualize, CTP, and Selenic.

October 05, 2022

Vaadin announced the release of four Acceleration Kits designed to make it faster and easier to build and modernize Java applications for enterprise use.

October 04, 2022

Pegasystems announced the latest release of Robot Studio, the robotic process automation (RPA) low-code authoring environment for Pega's intelligent automation platform.

October 04, 2022

EvolveWare announced the Agile Business Rules Extraction (Agile BRE) solution on its Intellisys platform.

October 04, 2022

Mabl announced new features that empower quality professionals to easily validate APIs as part of their integrated end-to-end tests.

October 03, 2022

Spectro Cloud announced a major new release of its Palette Edge platform.

October 03, 2022

Arcion announced agentless change data capture (CDC) for all of its supported databases and applications.

September 29, 2022

CloudBees announced the acquisition of ReleaseIQ to expand the company’s DevSecOps capabilities, empowering customers with a low-code, end-to-end release orchestration and visibility solution.

September 29, 2022

SmartBear continues expanding its commitment to the Atlassian Marketplace, adding Bugsnag for Jira and SwaggerHub Integration for Confluence.

Bugsnag developers monitoring application stability and documenting in Jira no longer need to interrupt their workflow to access the app. Developers working in SwaggerHub can use the macro to push API definitions and changes directly to other teams and business stakeholders that work within Confluence. By increasing the presence of SmartBear tools on the Atlassian Marketplace, the company continues meeting developers where they are.

September 29, 2022

Ox Security exited stealth today with $34M in funding led by Evolution Equity Partners, Team8, and M12, Microsoft's venture fund, with participation from Rain Capital.

September 29, 2022

cnvrg.io announced that the new Intel Developer Cloud is now available via the cnvrg.io Metacloud platform, providing a fully integrated software and hardware solution.