Cryptographic keys and digital certificates used to uniquely identify machines or applications are vital to businesses that want to guarantee the integrity of in-transit data. However, even businesses with mature DevOps practices sometimes fail to follow practices designed to secure the use and storage of cryptographic keys and digital certificates.
While 82 percent of organizations with mature DevOps practices have consistent policies designed to secure cryptographic keys and digital certificates, only 53 percent of those that have just started to adopt DevOps practices enforce the practices. This means that, while 62 percent of mature DevOps teams replace development certificates with production certificates, only 36 percent of companies that have just started to adopt DevOps teams perform the same tasks.
Some 56 percent of respondents that have just begun to adopt DevOps say their teams are aware of security control for protecting cryptographic keys and digital certificates, while 89 percent of mature DevOps teams believe they have the right security practices in place.
The lack of proper security controls or the ability to distinguish between testing and production certificates can generate serious problems for organizations, as attackers can leverage these issues and exploit them. Considering that 69 percent of mature DevOps teams re-use cryptographic keys - compared to 79 percent of those just adopting DevOps – cybercriminals could gain access to various environments or applications that use that particular key, if it were lost.
In terms of how adopting DevOps can become more professional and move faster to streamline security and improve workflows, here are some successful DevOps habits that they can abide by:
- Increase trust and transparency between Dev, Sec and Ops
- Understand the probability and impact of specific risks
- Discard detailed security road maps in favor of incremental improvements
- Use the continuous delivery pipeline to incrementally improve security practices
- Standardize third-party software and then keep current
- Govern with automated audit trails
- Test preparedness with security games