sb-as logo
Story image

Security teams could be slowing down DevOps, survey shows

Venafi has released the findings of its latest survey, revealing 75% of DevOps professionals say certificate issuance policies slow them down.

In addition, more than a third (39%) of professionals believe developers should be able to circumvent these policies to meet service level agreements, and less than half believe developers always request certificates that serve as machine identities through authorised channels.

Venafi, the inventor and provider of machine identity protection, conducted a survey on digital certificate security policies and practices in DevOps environments.

Cryptographic keys and certificates serve as machine identities and enable authentication and secure communication for applications, service containers and APIs on enterprise networks, the internet and in cloud environments. The use of weak or unauthorised keys and certificates can significantly increase security risks, particularly in cloud environments, Venafi says.

Developers use insecure machine identities, including certificates from unauthorised certificate authorities (CAs) and self-signed or wild card certificates, because corporate certificate issuance processes are seen as too cumbersome, Venafi says.

However, this leaves security teams in the dark and increases organisational risk, especially if key and certificate vulnerabilities or errors enter production environments, the company states.

“DevOps is all about speed, but this survey illustrates that developers often find security policies slow,” says Kevin Bocek, Venafi vice president of security strategy and threat intelligence.

He says, “Unfortunately, security professionals are often unaware of the risks DevOps processes bring to their organisations. Ultimately, security teams need to make it more straightforward for developers to use machine identities protecting them must be easier and faster than it is to circumvent policy, otherwise these problems will continue to grow exponentially.

"Organisations that rely on DevOps processes require visibility, intelligence and automation to protect their machine identities.”

Story image
Training is essential to build cybersecurity awareness
More than ever, businesses need to ensure that all their workers have the right skills and training to protect the business from cybercrime.  More
Story image
Oracle combines cloud automation with comms security in new solution
The Oracle Communications Security Shield (OCSS) Cloud is built on the company’s cloud infrastructure, and uses AI and real-time enforcement to combat the heightened risk of infrastructure attacks presented to contact centres and enterprises.More
Story image
Rackspace and Cloudflare join forces for managed edge security
Rackspace and Cloudflare join forces for managed edge security The solution includes a web application firewall, DDoS protection, DNS services and a global content delivery network, backed by 24/7 support.More
Story image
HackerOne launches penetration testing to empower digital transformation
“In today’s agile environments, pentest platforms should seamlessly integrate with every aspect of the software development lifecycle so that findings are quickly pushed to the right developer and vulnerabilities are fixed faster."More
Download image
Crypto-of-Things: Mobile device security with cryptography at its heart
It’s a method that’s as safe as traditional airgapped hardware security modules, but it doesn’t compromise on software usability.More
Story image
Trend Micro ranks number one in Global Hybrid Cloud Security - IDC 
The cloud security firm enjoyed a market share of 29.5% last year, three times that of the number two vendor.More