Study finds DevOps teams are employing weak cryptographic security controls

Cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications, a new study reveals.

According to the study commissioned by Venafi, many organisations fail to enforce vital cryptographic security measures in their DevOps environments. These problems are especially acute among organisations that are in the midst of adopting DevOps practices, but even organisations that say their DevOps practices are mature do not follow security practices designed to protect cryptographic keys and digital certificates.

The cryptographic security practices of DevOps teams

Key study findings:

  • The vast majority (82%) of respondents from organisations with mature DevOps practices say corporate key and certificate policies are enforced consistently. In organisations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.
  • In mature DevOps organisations, almost two-thirds (62%) of DevOps teams consistently replace development and test certificates with production certificates when code rolls into production. In organisations that are just adopting DevOps practices, only a bit over one-third (36%) follow this critical best practice. Without changing certificates, there is no way to distinguish between the identities of trusted machines that are safe to place in production and untested machines that should remain in development.
  • 89% of respondents with mature DevOps practices say their DevOps teams are aware of the security controls necessary to protect their organisations from attacks that leverage compromised keys and certificates; in organisations adopting DevOps only 56% believe their teams are aware of these controls.
  • 80% of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates. Self-signed certificates can be issued quickly, however they can make it difficult to uniquely identify that machines belong and can be trusted.
  • Key reuse is a problem: 68% of mature DevOps respondents and 79% of adopting respondents said they allow key re-use. While key re-use saves time, if a cyber criminal is able to gain access to one key they will automatically gain access to any other environment or application where the key is used.

As the speed and scale of DevOps development intensifies, the use of secure encrypted communications explodes. Without robust security measures and practices, successful attacks that target DevOps keys and certificates can allow attackers to remain hidden in encrypted traffic and evade detection.

“It’s clear that most organisations are still struggling with securing the cryptographic keys and digital certificates used to uniquely identify machines,” said Kevin Bocek, Chief Security Strategist for Venafi. “Although DevOps teams indicate that they understand the risks associated with TLS/SSL keys and certificates, they clearly aren’t translating that awareness into meaningful protection. This inaction can leave organisations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.”


Edited from press release by Cecilia Rehn.