Nataliya Yakovleva - Fotolia
Businesses’ shift towards a DevOps approach that combines application development and deployment is a growing challenge to security, says security firm Venafi.
“DevOps is like a black hole to security teams because they have no idea what DevOps is doing and have no way of ensuring security policy is enforced,” Kevin Bocek, vice-president of threat intelligence and security strategy at Venafi, told Computer Weekly.
“We are seeing DevOps teams introducing vulnerabilities by making security decisions that are not compliant with company policy and standards. [They are also] making poor security decisions, such as disabling certain features and circumventing code scanning and configuration checking procedures,” he said.
The shift to DevOps is being driven by the business need to innovate continually and to introduce functionality and business models to the market as quickly as possible.
“Security has traditionally been a barrier to DevOps teams and, consequently, they tend to look for ways around it, avoiding contact with security teams,” said Bocek.
This trend is no longer limited to small, agile businesses, as even large, highly regulated sectors such as banking, insurance and payments are tapping into the benefits of a DevOps approach.
This means an increasing range and number of businesses are at risk from cyber attack due to the focus on speed to market at the expense of security.
DevOps security risks
One of the biggest security oversights associated with DevOps concerns TLS (transport layer security) keys and certificates, which determine what can and cannot be trusted on the internet, enabling software to communicate privately and preventing man in the middle, spoofing and other trust-based attacks.
DevOps approaches such as orchestration and containerisation increase the demand for near instantaneous availability of trusted TLS keys and certificates. As a result, many developers take shortcuts when obtaining or using TLS keys and certificates.
According to Bocek, this is because the standard process can take three to five working days in most UK organisations.
These shortcuts include using weak cryptographic methods; unknown, self-signed or duplicate keys; wildcard certificates to represent a whole domain; and unapproved certificate authorities (CAs) with little to no validation and oversight from security teams.
All of this makes it easier for attackers to look trusted or hide inside encrypted traffic, and the sheer volume of untrusted and unprotected certificates makes an outage from expired or misconfigured certificates increasingly likely.
“Venafi research shows that 79% of CIOs believe that DevOps makes it more difficult to know what is trusted or not because of the chaos brewing with the use of TLS keys and certificates,” said Bocek.
“Security teams need to keep DevOps safe with easy-to-use automation that eliminates complexity,” he said.
Utility addition for managing DevOps
“This represents a change in mindset for security teams because ‘fast and easy’ is not something that comes naturally to them,” said Bocek.
The Venafi utility is aimed at addressing the problem of TLS keys and certificates by enabling secure TLS key and certificate lifecycle management for DevOps.
According to Bocek, Venafi decided to tackle this particular challenge regarding DevOps security because there is not much expertise and guidance in this area for developers, especially in the context of virtual environments and the use of containers.
To take advantage of the utility once it has been downloaded and added to Venafi’s Trust Protection Platform, all DevOps teams need to do is add a single load of code to their software.
This means DevOps teams can focus on speeding up continuous development and deployment, while security teams have complete visibility and can keep the DevOps environment secure and compliant.
According to Venafi, the utility is designed to work out-of-the box on premise and in the cloud with leading automation, orchestration and containerisation platforms, including Puppet, Chef, Docker, Terraform, Saltstack and Ancible.
By automating the process, DevOps teams do not need to worry about the details of how to get, install and use keys and certificates.
At the same time, Venafi said IT security policies are enforced and there is complete visibility, and because only trusted keys and certificates are issued, any anomalies are detected quickly.
“Finding a way to provide security-at-speed is vital if we are to unlock the promise of DevOps. Venafi is helping IT security teams make it fast and easy for DevOps to use TLS keys and certificates,” said Bocek.
Bocek said security teams and DevOps teams need to find ways of working more closely together to minimise security vulnerabilities, particularly as world moves towards using more encryption.
“If DevOps is switching to encryption to meet government requirements, such as those being introduced in the UK, security teams need to ensure they are able to monitor those channels for malicious activity.”