The way cybersecurity teams have managed certificates is turning out to be a major impedance that could best be addressed by more organizations adopting best DevSecOps practices in 2020.
A survey of 108 attendees at the recent DevOps Enterprise Summit 2019 conference conducted by Venafi, a provider of tools for assigning identities to machines, finds 75% of respondents said they are concerned that corporate certificate issuance policies slow down development.
In addition, 39% of respondents believe developers should be able to circumvent corporate certificate issuance policies to meet service level agreements (SLAs) and about half (48%) said they are confident that developers always request certificates through authorized channels.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said the root cause of the friction between developers and cybersecurity teams can be traced to reliance on ticket-based systems for managing IT. DevOps teams in the age of the software engineer are building and deploying applications faster than ticket-based systems based on manual requests can keep up with, he said.
Rather than wait on IT Operations teams, DevOps teams are doing an end-run as business leaders push for applications to be deployed faster. In many cases, DevOps teams are attaining certificates directly from a cloud service provider such as Amazon Web Services (AWS), Bocek noted. Unfortunately, that can lead to other issues: More than half of respondents(55%) said their organization experienced a certificate-related outage in the past 12 months. Not all those outages are likely to have resulted from DevOps teams working without internal IT, but it does confirm how deeply flawed the existing process of issuing certifications already is.
To address that issue, Bocek said organizations will need to shift to an approach for issuing trusted certificates that is based on a standard set of REST application programming interfaces (APIs) and is a natural extension of the DevOps processes baked into a continuous integration/continuous delivery (CI/CD) pipeline.
Unfortunately, most organizations are not especially aware of best practices for issuing trusted certificates. The Venafi survey found three-quarters of respondents (75%) are unfamiliar with the “Securing Web Transactions 1800-16 Practice Guide,” available in draft form from the National Institute of Standards and Technology (NIST).
Bocek said the days when cybersecurity teams could employ certificates as a means for governing when applications are deployed are all but over. Cybersecurity teams need to collaborate with DevOps teams to define a set of best DevSecOps processes through which trusted certificates still play a role in helping secure the IT environment without slowing down the application deployment process, he said.
It may take a while for DevOps teams and cybersecurity professionals to get on the same page in terms of issuing certificates. However, as pressure to deploy applications faster continues to mount, cybersecurity teams will need to adjust their policies and processes. How certificates are issued may be as good a place to start their DevSecOps transition as any.
— Mike Vizard
