Security Experts:

Where DevOps Could Be Increasing The Attack Surface

Survey Finds That DevOps Often Improves IT Efficiency While Weakening IT Security

The basic premise behind DevOps is that combining the development team and the operations team into a single cohesive unit will improve efficiency. It's all about breaking down silos. But there is one silo that frequently remains excluded: security. The obvious solution is to adopt DevSecOps rather than just DevOps; that is, remove another silo in the name of greater overall IT efficiency.

It doesn't seem to be happening. Early details from CyberArk's Advanced Threat Landscape 2018 report, due to be released in January, show that in at least one area, DevOps is increasing the attack surface -- privileged accounts. Privileged accounts are essential within DevOps, but CyberArk's figures suggest that they are not well protected.

CyberArk, founded in Israel in 1999, is headquartered in Newton, Mass. During September and October 2017, it commissioned Vanson Bourne to survey more than 1,000 IT security decision makers. It found that DevOps and security professionals have what it describes as "worrying knowledge gaps about where privileged accounts and secrets exist across the IT infrastructure." For example, 99% of the respondents failed to identify all the locations where privileged accounts or secrets exist.

The greatest knowledge gap is with source code repositories such as GitHub. Eighty-four percent of the respondents failed to recognize GitHub as a location for privileged accounts. This is followed by microservices (80%), cloud environments (78%), and continuous integration and continuous deployment (CI/CD) tools used by DevOps (76%).

"As organizations employ DevOps, more privileged account credentials and secrets are being created and shared across interconnected business ecosystems," said Elizabeth Lawler, vice president of DevOps security at CyberArk. "Even though dedicated technology exists, with few organizations managing and securing secrets, they become prime targets for attacks. In the hands of an external attacker or malicious insider, compromised credentials and secrets can allow attackers to take full control of an organization's entire IT infrastructure. So it's worrying that the rush to achieve IT and business advantages through DevOps is outpacing awareness of an expanded - and unmanaged - privileged attack surface."

This doesn't mean that DevOps is unaware of the security issue. Thirty-seven percent of DevOps professionals using the cloud said compromised DevOps tools and environments represent one of their organization's greatest security vulnerabilities. The main problem is the discontinuity between the security and DevOps teams. About 75% of security teams do not have a privileged account security strategy for the organization's DevOps, while there is no integration at all between security and DevOps in almost two-thirds of occasions.

As a result, security-aware DevOps professionals have tried to do things themselves. Twenty-two percent have built their own security solution to protect and manage secrets for DevOps projects. "Building your own security solutions is arguably OK up to a point," comments Lawler, "but is not a scalable way forward. From Jenkins to Puppet to Chef, there are no common standards between different tools, which means you must figure out every single tool to know how to secure it. DevOps really needs its own security stack, and security teams must bring something to the table here. They can provide a systemised approach that helps the DevOps teams maintain security while accelerating application delivery and boosting productivity."

When companies break down and integrate the development and operations silos in favor of efficiency, they need to ensure that security does not remain in its own silo outside of DevOps. It's not always an easy ask. DevOps is all about efficiency and speed; security is often seen as anathema to efficiency and speed. Nevertheless, CyberArk's survey demonstrates it is an essential step if companies wish to use DevOps to improve rather than weaken overall corporate security.

Related: Neglected Step Child: Security in DevOps

Related: Privileged Accounts Still Poorly Managed 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.