2020 Update: This blog originally appeared in 2017. However its data is as valid today as it was then and while the industry has made some strides in improving the cryptographic security risks introduced by DevOps teams, not enough has been done.
Despite the maturity of their programs, many DevOps teams can introduce cryptographic security risks into their environments.
Security compromises in development or test environments can easily spread to production systems and applications. Cyber attackers often target a DevOps team’s unprotected certificates and misuse them to hide in encrypted traffic. After all, a recent report from A10 Networks revealed that 41% of cyber attacks used encryption to evade detection.
DevOps tends to live outside the purview of standard security strategies. So, are security teams comfortable with how DevOps teams handle cryptographic risks? Venafi recently conducted a study analyzing the security practices of DevOps teams. Respondents included over 430 IT professionals responsible for cryptographic assets in companies with DevOps programs. Unsurprisingly, the study revealed that many organizations fail to enforce vital certificate security measures in their environments.
This lack of enforcement was especially acute among organizations that were in the midst of adopting DevOps practices. However, even organizations that said their DevOps practices were mature often did not follow security measures designed to protect cryptographic keys and digital certificates.
Interesting highlights from the survey included the following:
Early DevOps adopters don’t enforce key and certificate policies.
82% of respondents from organizations with mature DevOps practices say corporate key and certificate policies are enforced consistently. For organizations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.
Untrusted development and test certificates remain in place.
Almost two-thirds (62%) of mature DevOps teams consistently replace development and test certificates with production certificates when code rolls into production. In organizations that are just adopting DevOps practices, only a bit over one-third (36%) follow this critical best practice.
Hard to control self-signed certificates run rampant.
80% of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates.
Key reuse is a problem.
68% of mature DevOps respondents and 79% of adopting respondents said they allow key re-use. If cyber criminals gain access to one key, they will automatically gain access to any other environment or application where that key is used.
Kevin Bocek, chief security strategist for Venafi, offered his thoughts on the survey results: “It’s clear that most organizations are still struggling with securing the cryptographic keys and digital certificates used to uniquely identify machines. Although DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates, they clearly aren’t translating that awareness into meaningful protection. This inaction can leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.”
Tim Bedard, director of threat intelligence and analytics for Venafi, stressed that the security of keys and certificates requires more attention: “If the keys and certificates used by DevOps teams are not properly protected, cyber criminals will be able to exploit SSL/TLS keys and certificates to create their own encrypted tunnels. Or attackers can use misappropriated SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.”
For a full breakdown of the survey results, please visit: https://www.venafi.com/research/mature-devops-study
Does your DevOps team effectively address key and certificate risks?