Study: weak cryptographic security controls epidemic among DevOps teams
TweetFollow Us on Twitter

Study: weak cryptographic security controls epidemic among DevOps teams

Venafi (www.venafi.com), a provider of machine identity protection, has announced the results of a study on the cryptographic security practices of DevOps teams. Cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications.

According to the study, many organizations fail to enforce vital cryptographic security measures in their DevOps environments. These problems are especially acute among organizations that are in the midst of adopting DevOps practices, but even organizations that say their DevOps practices are mature do not follow security practices designed to protect cryptographic keys and digital certificates.

“It’s clear that most organizations are still struggling with securing the cryptographic keys and digital certificates used to uniquely identify machines,” said Kevin Bocek, chief security strategist for Venafi. “Although DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates, they clearly aren’t translating that awareness into meaningful protection. This inaction can leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.”

Key study findings:

° The vast majority (82%) of respondents from organizations with mature DevOps practices say corporate key and certificate policies are enforced consistently. In organizations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.

° In mature DevOps organizations, almost two-thirds (62%) of DevOps teams consistently replace development and test certificates with production certificates when code rolls into production. In organizations that are just adopting DevOps practices, only a bit over one-third (36 percent) follow this critical best practice. Without changing certificates, there is no way to distinguish between the identities of trusted machines that are safe to place in production and untested machines that should remain in development.

° Eighty-nine percent of respondents with mature DevOps practices say their DevOps teams are aware of the security controls necessary to protect their organizations from attacks that leverage compromised keys and certificates; in organizations adopting DevOps only 56% believe their teams are aware of these controls.

° Eighty percent of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates. Self-signed certificates can be issued quickly, however they can make it difficult to uniquely identify that machines belong and can be trusted.

Key reuse is a problem: 68% of mature DevOps respondents and 79% of adopting respondents said they allow key re-use. While key re-use saves time if a cyber criminal is able to gain access to one key they will automatically gain access to any other environment or application where the key is used.

As the speed and scale of DevOps development intensifies, the use of secure encrypted communications explodes. Without robust security measures and practices, successful attacks that target DevOps keys and certificates can allow attackers to remain hidden in encrypted traffic and evade detection. According to a recent report from A10 Networks, 41% of cyber attacks used encryption to evade detection.

“If the keys and certificates used by DevOps teams are not properly protected, cyber criminals will be able to exploit SSL/TLS keys and certificates to create their own encrypted tunnels,” said Tim Bedard, director of threat intelligence and analytics for Venafi. “Or attackers can use misappropriated SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.”

The study was conducted by Dimensional Research in November 2016. Study respondents included 431 IT professionals responsible for cryptographic assets in companies with DevOps programs in the U.S. and Europe.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Latest Forum Discussions

See All

Combo Quest (Games)
Combo Quest 1.0 Device: iOS Universal Category: Games Price: $.99, Version: 1.0 (iTunes) Description: Combo Quest is an epic, time tap role-playing adventure. In this unique masterpiece, you are a knight on a heroic quest to retrieve... | Read more »
Hero Emblems (Games)
Hero Emblems 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: ** 25% OFF for a limited time to celebrate the release ** ** Note for iPhone 6 user: If it doesn't run fullscreen on your device... | Read more »
Puzzle Blitz (Games)
Puzzle Blitz 1.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0 (iTunes) Description: Puzzle Blitz is a frantic puzzle solving race against the clock! Solve as many puzzles as you can, before time runs out! You have... | Read more »
Sky Patrol (Games)
Sky Patrol 1.0.1 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0.1 (iTunes) Description: 'Strategic Twist On The Classic Shooter Genre' - Indie Game Mag... | Read more »
The Princess Bride - The Official Game...
The Princess Bride - The Official Game 1.1 Device: iOS Universal Category: Games Price: $3.99, Version: 1.1 (iTunes) Description: An epic game based on the beloved classic movie? Inconceivable! Play the world of The Princess Bride... | Read more »
Frozen Synapse (Games)
Frozen Synapse 1.0 Device: iOS iPhone Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: Frozen Synapse is a multi-award-winning tactical game. (Full cross-play with desktop and tablet versions) 9/10 Edge 9/10 Eurogamer... | Read more »
Space Marshals (Games)
Space Marshals 1.0.1 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.1 (iTunes) Description: ### IMPORTANT ### Please note that iPhone 4 is not supported. Space Marshals is a Sci-fi Wild West adventure taking place... | Read more »
Battle Slimes (Games)
Battle Slimes 1.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0 (iTunes) Description: BATTLE SLIMES is a fun local multiplayer game. Control speedy & bouncy slime blobs as you compete with friends and family.... | Read more »
Spectrum - 3D Avenue (Games)
Spectrum - 3D Avenue 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: "Spectrum is a pretty cool take on twitchy/reaction-based gameplay with enough complexity and style to stand out from the... | Read more »
Drop Wizard (Games)
Drop Wizard 1.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0 (iTunes) Description: Bring back the joy of arcade games! Drop Wizard is an action arcade game where you play as Teo, a wizard on a quest to save his... | Read more »

Price Scanner via MacPrices.net

Deal Alert! Mac Studio with M4 Max CPU on sal...
B&H Photo has the standard-configuration Mac Studio model with Apple’s M4 Max CPU in stock today and on sale for $300 off MSRP, now $1699 (10-Core CPU and 32GB RAM/512GB SSD). B&H also... Read more

Jobs Board

All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.