In most organizations, DevOps business is not being run by security. It's being run by a group of developers. Yes. They're using all sorts of cool stuff to create amazing apps for the business. They're marketing wise and doing very exciting work. But if organizations don't know how the certificates for these applications are being signed, then these groundbreaking development efforts may become somewhat tarnished.
Not to diminish from the amazing work they do, but the main concern of developers is not security. If fact, they don’t much care about security. What they care about is doing whatever they've got to do to launch whatever it is they've got to get launched. In this high-paced environment, it’s easy for security to become an afterthought.
But it’s not just the developers who are not security focused. Sometimes it seems that no one is scrutinizing security all that carefully in DevOps. If the developers are not being told "sign the code" and which certificate authority (CA) to use to sign it with, they either won’t sign it or they'll spin up a self-signed CA within the DevOps environment to do the signing. So, it's not their fault, it's just that the people that understand PKI are generally not the people that are going to take care of the provisioning of DevOps certificates. That's the problem.
Indeed, many developers are unable to answer the questions that security folks routinely ask. Questions like which CA is actually issuing the certificates. Who's managing that process? Who’s determining the certificate attributes? How secure is it? If organizations are not tracking all those DevOps certificates correctly and managing them well, they won’t know if any have been revoked, who’s signing the active certificates, or if they are even being signed at all.
In fact, some of these organizations don't even know whether they're using certificates in DevOps. They don't even know if the microservices and containers have got certificates on them. And they often don't understand why they need certificates. They wonder why they would bother with a certificate if the code is inside a container. They don’t really think about how the code is performing all these functions, and how it's transmitting all this data that needs to be secured.
Even more important, organizations need to know that the code they are trusting is legitimate. They need assurances that the code was implemented by a bona fide developer, not by some hacker somewhere that can then insert that piece of code inside the app to drain all the valuable data somewhere else.
Case in point, there was an attacker a few months ago that created a new containerized app for a brand, and it was a replica of a legitimate banking app. So, bank customers downloaded it thought they were downloading the legitimate banking app, when all it was actually doing was diverting their data and transactions to an undisclosed location. As a result, some bank accounts got drained fairly quickly, which was a huge problem for the bank even though it wasn’t their fault. It was just easier for the customers to blame the bank.
The reality is that most containers are not particularly well protected, especially on Android. And if an organization doesn't know whether they're signing their code or not (or if so, whether the code is signed by a trusted source), then it's a fairly sort of wild west environment to be in.
In the words of my esteemed former colleague, Terrie Anderson, “What organizations are left with is a scenario like this: They've got all these machine identities created by DevOps and they don't know exactly what they are. They simply don't know what they don't know. So, they end up with tons of machine identities that are floating around out there. But they may not even know if they've got machine identities in DevOps. If they have got them, they hope they're out there, and they hope they're valid, and they hope that they're correctly linked, and they hope that they're secure. But hope is not a great thing to run an enterprise IT environment off. In fact, hope is not a strategy at all.”
Do you know how secure is your code signing process for DevOps?