Skip to main content
banner image
venafi logo

How Vulnerable Are DevOps Certificates? New Study Reveals Weak Use of Cryptographic Security in DevOps

How Vulnerable Are DevOps Certificates? New Study Reveals Weak Use of Cryptographic Security in DevOps

DevOps security
April 18, 2017 | Eva Hanscom

Despite the maturity of their programs, many DevOps teams can introduce cryptographic security risks into their environments.

Security compromises in development or test environments can easily spread to production systems and applications. Cyber attackers often target a DevOps team’s unprotected certificates and misuse them to hide in encrypted traffic. After all, a recent report from A10 Networks revealed that 41% of cyber attacks used encryption to evade detection

DevOps tends to live outside the purview of standard security strategies. So, are security teams comfortable with how DevOps teams handle cryptographic risks? Venafi recently conducted a study analyzing the security practices of DevOps teams. Respondents included over 430 IT professionals responsible for cryptographic assets in companies with DevOps programs. Unsurprisingly, the study revealed that many organizations fail to enforce vital certificate security measures in their environments.

This lack of enforcement was especially acute among organizations that were in the midst of adopting DevOps practices. However, even organizations that said their DevOps practices were mature often did not follow security measures designed to protect cryptographic keys and digital certificates.

Interesting highlights from the survey included the following:

  • Early DevOps adopters don’t enforce key and certificate policies.
    •  82% of respondents from organizations with mature DevOps practices say corporate key and certificate policies are enforced consistently. For organizations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.
       
  • Untrusted development and test certificates remain in place.
    • Almost two-thirds (62%) of mature DevOps teams consistently replace development and test certificates with production certificates when code rolls into production. In organizations that are just adopting DevOps practices, only a bit over one-third (36%) follow this critical best practice.
       
  • Hard to control self-signed certificates run rampant.
    • 80% of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates.
       
  • Key reuse is a problem.
    • 68% of mature DevOps respondents and 79% of adopting respondents said they allow key re-use. If cyber criminals gain access to one key, they will automatically gain access to any other environment or application where that key is used.

Kevin Bocek, chief security strategist for Venafi, offered his thoughts on the survey results: “It’s clear that most organizations are still struggling with securing the cryptographic keys and digital certificates used to uniquely identify machines. Although DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates, they clearly aren’t translating that awareness into meaningful protection. This inaction can leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.”

Tim Bedard, director of threat intelligence and analytics for Venafi, stressed that the security of keys and certificates requires more attention: “If the keys and certificates used by DevOps teams are not properly protected, cyber criminals will be able to exploit SSL/TLS keys and certificates to create their own encrypted tunnels. Or attackers can use misappropriated SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.”

For a full breakdown of the survey results, please visit: https://www.venafi.com/research/mature-devops-study

Does your DevOps team effectively address key and certificate risks? 

Like this blog? We think you will love this.
DevOps, DevSecOps, CALMS
Featured Blog

CALMS for DevOps: Part 1—Why Culture Is Critical

DevSecOps seeks to address these challenges, and I find a useful way to break down how it does th

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man sitting on chair and thinking

Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?

accessec, APIIDA, Crypto4A, Difenda

Six Groundbreaking Machine Identity Protection Developers Gain Funding

code signing certificates, Code Signing, Stuxnet, ShadowHammer

Study: How Well Are You Protecting Code Signing Certificates?

About the author

Eva Hanscom
Eva Hanscom

Eva Hanscom writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat