Digital transformation is driving today’s business. Adopting a DevOps framework is no longer a future possibility for most businesses but has been firmly embraced by organizations everywhere. According to GlobeNewswire in April 2020, DevOps market valuation is estimated to reach $17 billion by 2026. Such growth will help organizations increase their business productivity by meeting market demand for quickening application delivery schedules.
Embracing DevOps doesn’t just help organizations stay current in a changing world. Pluralsight makes the point that DevOps can also help to benefit operations teams that haven’t invested the same amount of time and resources in building agile work processes. In effect, organizations can use DevOps to help operations personnel release software at the same pace with which it’s developed.
They can also further assist developers in reaching their deadlines by shifting their development model away from big releases to gradual releases. In this type of framework, developers and technologies can use automation to save time and address issues week by week without sorting through multiple problems at one time right before the application is released.
Understanding DevOps’ security challenges
Notwithstanding the benefits discussed above, DevOps is creating new security risks for organizations. As noted by CCSI, organizations need to keep their data secure while they’re moving to the cloud in support of DevOps. In addition, because DevOps focuses on machine automation, machine-to-machine communication must be secured. Machine-to-machine communication is usually secured with digital certificates and encryption keys such as X.509 certificates, SSH keys, tokens, and code signing keys. Failure to protect these digital credentials could result in an attacker breaching the DevOps pipeline to disrupt an organization’s operations and/or make off with its sensitive information.
The pluses and minuses of digital certificates for DevOps
Organizations need to be able to trust what’s going on in their DevOps processes. In response, many are embracing digital certificates as a means to foster security. These electronic credentials already help organizations to protect other parts of their infrastructure using a pair of encryption keys. Subsequently, organizations are looking to these assets to protect their secrets and DevOps-related information.
There’s just one problem: using digital certificates with DevOps isn’t as straightforward as it might appear. One of the main issues is that digital certificates may aggravate an already pertinent DevOps security issue: the challenge of trying to balance security and speed. In a traditional development model, security teams take their time testing an application at the end of the pipeline before it is launched into production. Spreading this security testing throughout the development process could make it more difficult for DevOps teams to meet their deadlines.
Along this same line of thinking, requiring DevOps pipelines to obtain trusted certificates via manual requests undermines the agility of the software development lifecycle. This is especially a problem with containers, notes DevOps.com. Containers aren’t up for long, so if manual requests for certificates take days to complete, organizations might find themselves in a position where they’re forced to slow down their software delivery processes.
DevOps professionals share this same worry. In a December 2019 Venafi survey, three-quarters of respondents expressed their concern that policies for issuing certificates slow down development. Over a third (39%) of survey participants went on to voice their opinion that developers should be able to circumvent those policies to meet those deadlines.
Sidestepping recognized security best practices pose a danger to the organization. Indeed, if team members decide to purchase certificates on their own or set up rogue PKIs, they add more encryption assets that security teams need to manage.
Venafi notes elsewhere that attackers could pose as the legitimate owner of a key set in order to steal a victim’s sensitive information. They could also use those keys to sign malicious software to overcome browser filters and other security mechanisms that help to block malware.
The presence of more keys and certificates increases complexity, which raises the possibility of the organization experiencing a certificate outage and/or an attacker misusing an expired certificate for all kinds of nefarious purposes. To counter this tsunami of new certificates, organizations need certificate management solutions that bridge the gap between traditional IT and DevOps development cycles.
Certificate management best practices for DevOps
Acknowledging the threats discussed above, organizations need to follow best practices in managing certificates for their DevOps. They can begin by following the guidance of NIST’s Special Publication 1800-16, “Securing Web Transactions: TLS Server Certificate Management,” in creating a certificate management program. Another useful NIST publication for securing machine identities is one of the best practices for protecting code signing credentials: “Security Considerations for Code Signing.”
They can then tailor these best practices specifically for DevOps by incorporating automation into their certificate management processes, notes DZone. In particular, organizations can consider using a catalog of recipes, or collections of automation driven through APIs, to orchestrate the steps that are required to use keys and certificates. Such recipes work across development and orchestration environments, thereby improving visibility across multiple environments.
Speaking of visibility, organizations can invest in machine identity management solutions that enhance their ability to discover where all application certificates are being used. This will help security professionals find violations of the organization’s security policies and address any unauthorized certificates they find before these encryption assets cause a problem. And if it’s implemented strategically, it will also give developers the freedom they need to meet aggressive SLAs.
- DevOps and the Proliferation of Secrets
- Accelerate DevOps by Offering a Certificate Service for CI/CD Pipelines
- How Can You Be More Successful in a Compliance Conversation with DevSecOps?
- X.509 Certificate Issuance: Too Slow for DevOps?