Connect with us

Hi, what are you looking for?


Identity & Access

Where DevOps Could Be Increasing The Attack Surface

Survey Finds That DevOps Often Improves IT Efficiency While Weakening IT Security

Survey Finds That DevOps Often Improves IT Efficiency While Weakening IT Security

The basic premise behind DevOps is that combining the development team and the operations team into a single cohesive unit will improve efficiency. It’s all about breaking down silos. But there is one silo that frequently remains excluded: security. The obvious solution is to adopt DevSecOps rather than just DevOps; that is, remove another silo in the name of greater overall IT efficiency.

It doesn’t seem to be happening. Early details from CyberArk’s Advanced Threat Landscape 2018 report, due to be released in January, show that in at least one area, DevOps is increasing the attack surface — privileged accounts. Privileged accounts are essential within DevOps, but CyberArk’s figures suggest that they are not well protected.

CyberArk, founded in Israel in 1999, is headquartered in Newton, Mass. During September and October 2017, it commissioned Vanson Bourne to survey more than 1,000 IT security decision makers. It found that DevOps and security professionals have what it describes as “worrying knowledge gaps about where privileged accounts and secrets exist across the IT infrastructure.” For example, 99% of the respondents failed to identify all the locations where privileged accounts or secrets exist.

The greatest knowledge gap is with source code repositories such as GitHub. Eighty-four percent of the respondents failed to recognize GitHub as a location for privileged accounts. This is followed by microservices (80%), cloud environments (78%), and continuous integration and continuous deployment (CI/CD) tools used by DevOps (76%).

“As organizations employ DevOps, more privileged account credentials and secrets are being created and shared across interconnected business ecosystems,” said Elizabeth Lawler, vice president of DevOps security at CyberArk. “Even though dedicated technology exists, with few organizations managing and securing secrets, they become prime targets for attacks. In the hands of an external attacker or malicious insider, compromised credentials and secrets can allow attackers to take full control of an organization’s entire IT infrastructure. So it’s worrying that the rush to achieve IT and business advantages through DevOps is outpacing awareness of an expanded – and unmanaged – privileged attack surface.”

This doesn’t mean that DevOps is unaware of the security issue. Thirty-seven percent of DevOps professionals using the cloud said compromised DevOps tools and environments represent one of their organization’s greatest security vulnerabilities. The main problem is the discontinuity between the security and DevOps teams. About 75% of security teams do not have a privileged account security strategy for the organization’s DevOps, while there is no integration at all between security and DevOps in almost two-thirds of occasions.

Advertisement. Scroll to continue reading.

As a result, security-aware DevOps professionals have tried to do things themselves. Twenty-two percent have built their own security solution to protect and manage secrets for DevOps projects. “Building your own security solutions is arguably OK up to a point,” comments Lawler, “but is not a scalable way forward. From Jenkins to Puppet to Chef, there are no common standards between different tools, which means you must figure out every single tool to know how to secure it. DevOps really needs its own security stack, and security teams must bring something to the table here. They can provide a systemised approach that helps the DevOps teams maintain security while accelerating application delivery and boosting productivity.”

When companies break down and integrate the development and operations silos in favor of efficiency, they need to ensure that security does not remain in its own silo outside of DevOps. It’s not always an easy ask. DevOps is all about efficiency and speed; security is often seen as anathema to efficiency and speed. Nevertheless, CyberArk’s survey demonstrates it is an essential step if companies wish to use DevOps to improve rather than weaken overall corporate security.

Related: Neglected Step Child: Security in DevOps

Related: Privileged Accounts Still Poorly Managed 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.