Research finds major flaws in DevOps teams security practices

Cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications.

According to a study from Venafi, a provider of machine identity protection, many organisations fail to enforce vital cryptographic security measures in their DevOps environments.

These problems are especially acute among organisations that are in the midst of adopting DevOps practices, but even organisations that say their DevOps practices are mature do not follow security practices designed to protect cryptographic keys and digital certificates.

“It’s clear that most organisations are still struggling with securing the cryptographic keys and digital certificates used to uniquely identify machines,” said Kevin Bocek, chief security strategist for Venafi.

>See also: Best DevOps practices for 2017

“Although DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates, they clearly aren’t translating that awareness into meaningful protection. This inaction can leave organisations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.”

The vast majority (82%) of respondents from organisations with mature DevOps practices said corporate key and certificate policies are enforced consistently, whereas in organisations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.

In mature DevOps organisations, almost two-thirds (62%) of DevOps teams consistently replace development and test certificates with production certificates when code rolls into production.

Again the disparity is clear in organisations that are just adopting DevOps practices, with only just over one-third (36%) following this critical best practice.

Without changing certificates, there is no way to distinguish between the identities of trusted machines that are safe to place in production and untested machines that should remain in development.

>See also: The shifting role of the IT professional In 2017

89% of respondents with mature DevOps practices say their DevOps teams are aware of the security controls necessary to protect their organisations from attacks that leverage compromised keys and certificates, while in organisations adopting DevOps only 56% believe their teams are aware of these controls.

However, mature and adopting DevOps respondents were closer in practice regarding self-signed certificates, with 80% of mature DevOps respondents and 84% of adopting respondents allowing self-signed certificates.

Self-signed certificates can be issued quickly, however they can make it difficult to uniquely identify that machines belong and can be trusted.

Key reuse was identified as a general problem, with 68% of mature DevOps respondents and 79% of adopting respondents said they allow key re-use. While key re-use saves time, if a cyber criminal is able to gain access to one key they will automatically gain access to any other environment or application where the key is used.

>See also: How companies must adapt to the digital revolution

As the speed and scale of DevOps development intensifies, the use of secure encrypted communications explodes. Without robust security measures and practices, successful attacks that target DevOps keys and certificates can allow attackers to remain hidden in encrypted traffic and evade detection. According to a recent report from A10 Networks, 41% of cyber attacks used encryption to evade detection.

“If the keys and certificates used by DevOps teams are not properly protected, cyber criminals will be able to exploit SSL/TLS keys and certificates to create their own encrypted tunnels,” said Tim Bedard, director of threat intelligence and analytics for Venafi. “Or attackers can use misappropriated SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.”

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...