Security remains an afterthought in DevOps

Enterprises in Asia are lapping up DevOps but less than one-third have baked security processes into their developments

Although DevOps has made it faster and easier to roll out applications, security often remains an afterthought in Asia, according to CyberArk’s latest advanced threat landscape report.

Across the region, CyberArk found that 94% of organisations had adopted DevOps, but only 28% had fully integrated security teams and processes throughout the application development process.

“Security is an afterthought or is actively avoided because it is perceived as a drag on innovation,” said Jody Hunt, CyberArk’s global security director for DevSecOps. “Making things secure – and as part of a workflow – at scale is a challenge.”

Hunt said that while other security suppliers are focused on application security where software code is scanned for potential security loopholes, CyberArk looks at securing the development pipeline.

“The tools used to build applications are ‘privileged actors’ that could be used by humans or build automation systems,” he said, noting that privileged credentials in these tools could be exploited by hackers to bring up servers and change configurations in attempts to compromise an organisation’s cyber defences.

What is alarming is that 25% of respondents in CyberArk’s study were unaware that privileged accounts or secrets were found in continuous integration and continuous delivery (CI/CD) tools.

Other areas that Asian security professionals think that privilege accounts and secrets were not found were microservices (23%), containers (26%) and source code repositories such as GitHub (27%).

Late last year, it was reported that an AWS (Amazon Web Services) access key and security key held at GitHub were used by cyber criminals to access an AWS privilege account, which was used to compromise the personal data of Uber riders and drivers in a massive data breach.

However, Hunt pointed out that the DevOps teams he had encountered were not cavalier about security. The problem was that they tended to build “security islands” that were separate from an enterprise’s security infrastructure.

Read more about DevOps

  • Public sector IT leaders trying to transform the way their organisation works using DevOps talk about the challenges they face.
  • Allianz wants to become “digital by default” and its CIO explains the vital role DevOps and cloud play in its change programme.
  • With the pressure to achieve greater business agility, more IT organisations in the APAC region will look to DevOps as a way to ensure quality, security and performance of their applications.
  • What steps should the enterprise take in adopting the DevOps approach to software development and delivery?

According to CyberArk’s study, a quarter (25%) of Asian respondents have built their own security systems to protect and manage secrets for DevOps projects.

“They are using tools and ‘secret features’ that tend not to be encrypted, audited or authenticated,” said Hunt. “All the things that we hold as principles in security are generally not adhered to. Even if they do, they represent a fracturing of the security landscape in the enterprise.”

Compounding the problem is the rising adoption of cloud, which is being used by 42% of respondents for internal development. However, most DevOps security strategies in Asia are not to the cloud.

According to the study, nearly two-thirds (64%) of Asian enterprises rely on their cloud supplier’s built-in security, which means privileged account security is not fully integrated into DevOps processes when spinning up environments.

Singapore-based application developer Patrick Cher told Computer Weekly that even as DevOps can help to streamline software development, security processes should be baked in right from the start.

“Besides code testing, we also monitor the use of privileged credentials,” he said. “This has lengthened our development lifecycle, but it is necessary given the growing number of cyber threats today.”

Read more on DevOps