Skip to main content
banner image
venafi logo

How Vulnerable Are DevOps Certificates? Study Reveals Weak Use of Cryptographic Security in DevOps

How Vulnerable Are DevOps Certificates? Study Reveals Weak Use of Cryptographic Security in DevOps

DevOps certificate vulnerabilities
June 5, 2020 | Emil Hanscom

2020 Update: This blog originally appeared in 2017. However its data is as valid today as it was then and while the industry has made some strides in improving the cryptographic security risks introduced by DevOps teams, not enough has been done.

Despite the maturity of their programs, many DevOps teams can introduce cryptographic security risks into their environments.

Security compromises in development or test environments can easily spread to production systems and applications. Cyber attackers often target a DevOps team’s unprotected certificates and misuse them to hide in encrypted traffic. After all, a recent report from A10 Networks revealed that 41% of cyber attacks used encryption to evade detection.

DevOps tends to live outside the purview of standard security strategies. So, are security teams comfortable with how DevOps teams handle cryptographic risks? Venafi recently conducted a study analyzing the security practices of DevOps teams. Respondents included over 430 IT professionals responsible for cryptographic assets in companies with DevOps programs. Unsurprisingly, the study revealed that many organizations fail to enforce vital certificate security measures in their environments.

This lack of enforcement was especially acute among organizations that were in the midst of adopting DevOps practices. However, even organizations that said their DevOps practices were mature often did not follow security measures designed to protect cryptographic keys and digital certificates.


Interesting highlights from the survey included the following:

Early DevOps adopters don’t enforce key and certificate policies.

 82% of respondents from organizations with mature DevOps practices say corporate key and certificate policies are enforced consistently. For organizations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.


Untrusted development and test certificates remain in place.

Almost two-thirds (62%) of mature DevOps teams consistently replace development and test certificates with production certificates when code rolls into production. In organizations that are just adopting DevOps practices, only a bit over one-third (36%) follow this critical best practice.


Hard to control self-signed certificates run rampant.

80% of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates.


Key reuse is a problem.

68% of mature DevOps respondents and 79% of adopting respondents said they allow key re-use. If cyber criminals gain access to one key, they will automatically gain access to any other environment or application where that key is used.

Kevin Bocek, chief security strategist for Venafi, offered his thoughts on the survey results: “It’s clear that most organizations are still struggling with securing the cryptographic keys and digital certificates used to uniquely identify machines. Although DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates, they clearly aren’t translating that awareness into meaningful protection. This inaction can leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.”

Tim Bedard, director of threat intelligence and analytics for Venafi, stressed that the security of keys and certificates requires more attention: “If the keys and certificates used by DevOps teams are not properly protected, cyber criminals will be able to exploit SSL/TLS keys and certificates to create their own encrypted tunnels. Or attackers can use misappropriated SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.”

For a full breakdown of the survey results, please visit:

Does your DevOps team effectively address key and certificate risks?


Related posts

Like this blog? We think you will love this.
Featured Blog

The (Nation) State of Cyber: 64% of Businesses Suspect They’ve Been Targeted or Impacted by Nation-State Attacks

82% believe geopolitics and cybersecurity are intrinsically linked

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more