DevOps / Security / Contributed

DevSecOps: Embrace DevOps While Protecting Credentials

15 Oct 2019 4:00pm, by

James Legg
James Legg is the president and chief executive officer of Thycotic. Responsible for day-to-day operations, James creates and executes growth strategies and initiatives designed to propel Thycotic to the next level. James has amassed over 25 years of managerial and sales experience in guiding technology companies to accelerated, sustained growth. Most recently, he served as eVice President and GM of Unitrends, Inc., after serving as CEO of PHD Virtual, acquired by Unitrends in 2013. Previously, he served as vice president of worldwide sales for Idera Corporation, and was vice president of sales at NetIQ Corporation, having come there via the acquisition of PentaSafe Security Technologies, a remote access, vulnerability assessment and intrusion detection solution provider.

As part of the global advancement of the technology world, organizations of all sectors and sizes continue to adopt new practices and technologies. One of the latest trends implemented by forward-thinking companies is the concept of DevOps.

DevOps is a core approach to advancing organizations’ IT environments. The DevOps strategy incorporates a collection of tools, techniques and theories that, when applied, make organizations faster. It involves unifying two fundamental components of the IT team, joining software developers (Dev) and IT operations (Ops) personnel under the same (virtual and literal) roof to promote the principles of this approach. Rather than having these units continue to work separately, the DevOps approach teams them up to collaborate throughout the application lifecycle.

A key element of DevOps is the acceleration of processes through the various parts of the application development lifecycle. Automation is being added at an almost rampant rate, dramatically improving process speed by reducing the manual action required throughout the lifecycle.

However, the integration of several engineers, developers, operators and administrators means several hands are involved in each project. Each process requires access privileges for each action, requiring multiple people to have multiple access or account privileges. As is well documented in the realm of security, the more human involvement, the more security risk.

Most organizations know they need to restrict the privileged access of their employees — naturally, you wouldn’t want everyone in your company to have the ability to access everything within the company. So, with the obvious need to limit access in mind, organizations need to be especially careful when multiple people from multiple teams are involved in processes — such is a vital component of DevOps. But these team members quite often exchange admin passwords, keep credentials in code and store the secrets to privileges in all sorts of convenient but dangerously insecure ways. Remember, DevOps is all about making organizations faster — and in the rush cybersecurity best practices are often ignored or neglected in the rush.

This is where the concept of “DevSecOps” comes in — the concept of involving security in the DevOps approach. Now, applying this collaboration of software developers and IT operations personnel with security teams becomes complex, thus making sure the organization and its entire employee base stay cyber secure quite complicated.

Without keeping security in mind in the DevOps process, organizations are opening themselves up to hefty risk. Remember, an organization can’t deliver much of anything quickly if it’s penetrated and conquered by a malicious hacker.

No matter what progress organizations make, it is absolutely vital that they protect their privileged credentials. These credentials unlock access to controls and permissions for organizations’ users — and hackers in the event of credential theft. Access to these privileges empowers the user (or cybercriminal) with numerous abilities that include but are not limited to the potential for stealing sensitive data, remotely disabling or manipulating components of the IT environment, altering critical network infrastructure and modifying other privileged accounts.

The power of these privileged accounts provides attackers with significant leverage and footholds in organizations’ internal systems. Harnessing the stolen credentials and resulting privileges, malicious hackers can bypass cyber protections and launch catastrophic attacks from inside the victim organizations’ IT environment — such as installing malware within the victims’ networks. Additionally, and to make matters worse, these assailants are often able to hide their attacks by deleting their virtual fingerprint and removing evidence. This then lengthens the time between the attack and discovery, extending their ability to evade detection.

Prioritizing cybersecurity for these credentials is no new phenomenon. Privileged account security has long been a major issue for organizations of all sizes and credential theft is still the most commonly used attack strategy of cybercriminals. Protecting these privileges and the access and accounts they protect is crucial to an organization’s overall cybersecurity posture. No matter what advancements or strategies (i.e. DevOps) are adopted, this fundamental aspect of cybersecurity cannot be neglected or forgotten.

DevSecOps tips:

  • Use automation wherever and whenever possible
  • Integrate security into the pipeline and not as a bolt-on at the end
  • Know your code dependencies
  • Don’t hard code admin credentials
  • Scan your code often
  • Test everything

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.