The Importance of Machine Identity Management for DevOps
August 29, 2023

Christian Simko
AppViewX

There's tremendous pressure on DevOps teams to deliver business-critical applications and services with speed and agility. As a result, DevOps teams will often take the path of least resistance to meeting deadlines, even if it means taking security shortcuts.

One such example is the provisioning and management of digital certificates may stray from enterprise-wide PKI policy which can expose security weaknesses and vulnerabilities. Recent findings from a study conducted by Enterprise Management Associates(link is external)(EMA) highlight some concerning trends, especially with respect to DevOps practices for managing SSL/TLS certificates.

According to the EMA report: nearly 80% of TLS certificates on the internet are vulnerable to Man in the Middle (MiM) attacks, while up to 25% of all certificates are expired at any given time. This has significant implications, particularly for business-critical applications and cloud services, where such vulnerabilities can have catastrophic outcomes.

Key insights from the survey:

■ A vast majority (79%) of SSL certificates in use today are still susceptible to man-in-the-middle attacks as they don't utilize TLS 1.3.

■ Alarmingly, up to 25% of certificates on the internet pose a direct security threat due to expiration (10%) or being self-signed (15%), which is not deemed secure for publicly accessible platforms.

■ Almost half (45%) of IP addresses exposed to top 10 vulnerabilities also had either expired certificates or were self-signed.

■ Notably, .org, .com, and .mil top the list of Generic Top-Level Domains with the most expired certificates.

Ken Buckler, CASP, Director of Information Security Research for EMA who conducted the survey, believes the high volume of expired and self-signed certificates is a wake-up call for organizations to automate certificate management, especially in light of Google's 90-day certificate expiration proposal(link is external).

Impact of Manual Certificate Management on DevOps

Reliance on manual certificate management poses serious obstacles to the smooth running of DevOps practices. Firstly, manual processes are prone to errors, leading to the deployment of applications and services with expired or incorrectly configured certificates. This not only puts the entire infrastructure at risk but also necessitates costly and time-consuming remediation efforts.

Secondly, the rapid pace of DevOps cycles means there's a constant need to issue, renew, and revoke certificates. Handling this manually makes it challenging to keep up with the rapid development and deployment cycles, thereby slowing down the entire process and negating the efficiency and agility advantages of DevOps.

Lastly, manual certificate management often leads to inconsistent application of security policies. Without a centralized oversight, different teams may adopt varied standards, leaving some systems more vulnerable than others. This inconsistency makes the entire infrastructure a prime target for cyber attackers who are always on the lookout for weak links.

DevOps practices emphasize continuous improvement, development and deployment, which is only viable when the infrastructure that underpins it is trustworthy and secure. In an environment where rapid deployment of applications and cloud services is the norm, the state of machine identity management should be a primary concern. Improper provisioning and management of machine identities and digital certificates can open new threat vectors that cyberattackers can use to breach systems, disrupt business services and steal sensitive data and information.

The EMA report illustrates that many organizations still overlook the importance of machine identity management in their DevOps practices. When giants like Cisco(link is external), WhatsApp(link is external), and StarLink face certificate expiration incidents, it's a clear signal that the industry at large needs to revisit its strategies.

The solution lies in the very principles that guide DevOps: automation. It is vital for preventing critical outages and ensuring robust security. Automation of machine identity management can ensure that certificates are kept up to date, helping organizations maintain compliance and avoid vulnerabilities that hackers could exploit.

To automate machine identity management, consider these best practices:

■ Regularly Audit: Conduct periodic audits of machine identities and certificates to ensure they adhere to organizational policies.

■ Centralize Certificate Storage: Store all machine identity certificates and keys in a centralized and encrypted database to facilitate easy management.

■ Implement Tools: Utilize a certificate lifecycle management platform to automate certificate generation, renewal, and deployment.

■ Set Alerts: Establish a notification system for approaching expiration dates, ensuring timely renewals.

■ Integrate with DevOps: Integrate machine identity automation with existing DevOps pipelines to streamline processes.

■ Maintain a Backup: Always keep a backup of certificates and keys, ensuring quick recovery during emergencies.

The findings of the EMA report underscore the urgent need to strengthen machine identity security, particularly in DevOps environments. With business growth depending on available and secure applications and services, the automation of machine identity management is necessary to ensure the security and reliability of an interconnected world.

Christian Simko is VP of Product Marketing at AppViewX
Share this

Industry News

May 15, 2025

GitLab announced the launch of GitLab 18, including AI capabilities natively integrated into the platform and major new innovations across core DevOps, and security and compliance workflows that are available now, with further enhancements planned throughout the year.

May 15, 2025

Perforce Software is partnering with Siemens Digital Industries Software to transform how smart, connected products are designed and developed.

May 15, 2025

Reply launched Silicon Shoring, a new software delivery model powered by Artificial Intelligence.

May 15, 2025

CIQ announced the tech preview launch of Rocky Linux from CIQ for AI (RLC-AI), an operating system engineered and optimized for artificial intelligence workloads.

May 14, 2025

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists.

May 14, 2025

CodeRabbit is now available on the Visual Studio Code editor.

The integration brings CodeRabbit’s AI code reviews directly into Cursor, Windsurf, and VS Code at the earliest stages of software development—inside the code editor itself—at no cost to the developers.

May 14, 2025

Chainguard announced Chainguard Libraries for Python, an index of malware-resistant Python dependencies built securely from source on SLSA L2 infrastructure.

May 14, 2025

Sysdig announced the donation of Stratoshark, the company’s open source cloud forensics tool, to the Wireshark Foundation.

May 13, 2025

Pegasystems unveiled Pega Predictable AI™ Agents that give enterprises extraordinary control and visibility as they design and deploy AI-optimized processes.

May 13, 2025

Kong announced the introduction of the Kong Event Gateway as a part of their unified API platform.

May 13, 2025

Azul and Moderne announced a technical partnership to help Java development teams identify, remove and refactor unused and dead code to improve productivity and dramatically accelerate modernization initiatives.

May 13, 2025

Parasoft has added Agentic AI capabilities to SOAtest, featuring API test planning and creation.

May 13, 2025

Zerve unveiled a multi-agent system engineered specifically for enterprise-grade data and AI development.

May 12, 2025

LambdaTest, a unified agentic AI and cloud engineering platform, has announced its partnership with MacStadium(link is external), the industry-leading private Mac cloud provider enabling enterprise macOS workloads, to accelerate its AI-native software testing by leveraging Apple Silicon.

May 12, 2025

Tricentis announced a new capability that injects Tricentis’ AI-driven testing intelligence into SAP’s integrated toolchain, part of RISE with SAP methodology.