Secrets at Risk as DevOps Goes Mainstream

Written by

As DevOps becomes established across industries and geographies, the way in which we deliver applications and services for businesses continues to evolve and accelerate.

But, this agile development approach also creates serious security risks to privileged account credentials and secrets.

Security teams now have a vastly expanded attack surface to contend with. Why? Because, as DevOps takes hold, more and more privileged account credentials and secrets are created and shared across interconnected access points.

Compounding the risks are technologies including artificial intelligence, machine learning and automated IT, which not only expose new attack vectors, but also demand that businesses manage machine identities.

Even the much-heralded dawn of ‘digital transformation’ can be to blame. Ultimately, any time an organization puts a new digital strategy in place or seeks to innovate quickly, it puts itself in the spotlight of hackers.

Why DevOps?
DevOps teams are usually more vulnerable than other business units because they are always looking for new ways to innovate and complete their jobs faster. Usually, this is something of great value to businesses, given the incessant demands for innovation within today’s business climate.

However, downloading tools from the internet to help speed things up could compromise company data and IP even further. The frequency of changes in these environments, once they’ve been pushed out to the edges of organizations, can also make it difficult to unpick processes and tools.

Organizations’ rush to innovate is also creating new DevOps pipelines, and in doing so, numerous new vectors for attackers to target. At the beginning of the development process for example, infrastructure code developers are being pursued by hackers targeting cloud credentials stored on repositories like GitHub. Likewise, the source code they create is then sought via phishing attacks, as hackers seek a direct path to cloud access.

This source code is then plugged into build and test units, which are often targeted as attackers seek to hijack IT resources via out of date libraries. When it comes to the final stage - reviewing code ahead of a wider rollout - the risk of malware injection in test systems can be high, as attackers seek to exploit the distribution of new code throughout organizations. At every stage, the threat of malicious activity and data loss for the business is high, making the DevOps pipeline vulnerable. 

Double down on DevOps and security collaboration 
Securing this pipeline requires a fully automated privileged account security and secrets management solution—a tool that many businesses lack. In fact, 75% of security professionals say their organization doesn’t have a privileged account security strategy for DevOps, according to the threat landscape report we launched earlier this year. 

Another concern highlighted was that neither developers nor security teams fully understand all of the places where privileged accounts and secrets exist in their IT environment. We found that 99% of respondents could not identify all of the places where privileged accounts or secrets reside. This crucial information is embedded in a very wide spectrum of entities scattered across IT and cloud environments—and you must be able to locate them before you can protect them.

Perhaps the biggest roadblock to securing DevOps is that security teams and app developers typically work in operational silos. In fact, only one-third (33%) of the IT professionals say the two teams and processes are well-integrated throughout the entire development process, highlighting the need for these units to improve their collaboration.

In addition to tight teamwork, you’ll need one dedicated technology solution and a single security stack that can seamlessly connect DevOps tools with enterprise security solutions. The combination of the two enables businesses to build scalable security platforms that are constantly improved as new iterations of tools are developed, tested and deployed.

‘Build your own’ is not the way forward’ 
Clearly, many organizations don’t understand the means — or the mechanisms — to secure privileged account credentials and secrets. Traditional security programs simply haven’t kept pace with vulnerabilities created by new access points, machine identities and automated IT.

To get it right, you’ll need to integrate security with DevOps and implement a unified security solution that applies common controls across disparate services and infrastructures.

What’s hot on Infosecurity Magazine?