DevOps is, obviously, a coming together of Developers and Operations teams. All well and good, but what about security?
Ah that’s okay, we have (well, the industry has) thought of that as well i.e. we now have DevSecOps to bring together Developers and Operations and the Security function that needs to serve them both.
Is that enough, already?
Cryptographic firm Venafi thinks it’s not and is launching ‘Venafi Cloud for DevOps Service’ in response to the fact that it says the action to enforce corporate key and certificate policies consistently in DevOps teams simply doesn’t happen enough.
Even among mature DevOps teams, insecure practices are rife with 80% allowing self-signed certificates and 68% allowing key re-use, says Venafi.
As a practical examlpe, Venafi also surmises that two-fifths (38%) of mature DevOps teams fail to replace development and test certificates when code rolls into production, leaving teams unable to distinguish between the identities of trustworthy and untrustworthy machines.
Automate cryptography, or else
So to Venafi Cloud for DevOps Service — a development designed to deliver cryptographic keys and digital certificates for platforms such as Docker Enterprise, HashiCorp, Terraform and SaltSack Enterprise.
Thanks to the fully automated and scaleable nature of key and certificate orchestration through Venafi Cloud for DevOps, enterprises are able to maintained accelerated application development while also remaining secure.
“It’s clear that most organisations are still struggling with securing the cryptographic keys and digital certificates used to uniquely identify machines,” said Kevin Bocek, chief security strategist for Venafi. “Although DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates, they clearly aren’t translating that awareness into meaningful protection. This inaction can leave organisations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.”
So it could well be an inconvenient truth then… cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications.