There’s no doubt that DevOps methodologies offer significant strategic and competitive advantages. But, these benefits are not without risk. With faster code delivery at scale, the attack surface can grow rapidly with exponentially more secrets to manage and secure.
Importantly, while security teams set policies, it is the developers who are on the front lines coding, testing and building the applications – and actually securing the secrets. To find out more about how developers go about managing secrets in the applications they are developing for large enterprises, we commissioned an independent survey of DevOps managers and developers.
The survey’s findings are presented in our latest eBook, “Managing Application Secrets – What Do Developers Really Want?” The following provides a brief overview of some key takeaways. For a deeper look into how developers approach secrets management and the challenges enterprises face in securing secrets, their future plans and potential roadblocks.
Built-in secrets management isn’t enough. Consider this: An organization utilizes Docker, Puppet, AWS, Kubernetes, Ansible and Azure. All of these DevOps tools and platforms offer some built-in secrets management capabilities, but the tools are not compatible with each other. Each tool takes a different approach to security and uses a different API, making the developer’s job more difficult. As requirements change and new tools are introduced, developers will likely need to address the challenges of integrating tools and managing and sharing secrets across these disparate systems.
Ownership confusion abounds. While developers can play a key role in selecting secrets management platforms, the platforms are often purchased by various teams and at multiple organizational levels with no single group “owning” decision-making and budgeting. This haphazard approach means different teams turn to different tools and services, creating layers of unnecessary complexity and questions about who is responsible for what, while laying the groundwork for future security issues. CyberArk discovered that less than half (41 percent) of security and DevOps teams are integrated throughout the whole application development process.
Standardization is key – but organizations face roadblocks. The vast majority — nearly 80 percent – of respondents indicate that it was important or very important to standardize on secrets management tools. Further, 60 percent consider it important or very important to have a privileged access or identity management vendor that also provides secrets management for their DevOps and CI/CD pipeline. This indicates that respondents recognize the importance of consistently securing credentials for both human users as well as applications and other non-human users. (This is important as it is human users who typically, initially assign privileged access to non-human users.) However, it’s not happening widely as only 24 percent of respondents said that they are currently using a standardized tool.
So while it’s clear that secrets management tools should be coordinated and integrated with enterprise-wide, privileged access management solutions – why have so few standardized? Our research points to budget constraints, still-evolving secrets management solutions, security teams that don’t adequately understand DevOps and fragmented decision processes as the biggest roadblocks to standardization today. The eBook looks at how these roadblocks can be addressed.
The new eBook provides the developer’s perspective on securing DevOps environments and complements the recently-published CISO View report that provides the security leader’s perspective on securing DevOps environments. The eBook highlights four actionable and immediate steps DevOps and security teams can take to start making applications more secure. Both The CISO View and the Managing Application Secrets eBook are based on research conducted by independent research firms and are product agnostic.
On Tuesday, February 26th, CyberArk will present the webinar “How CISOs at Leading Global Organizations Secure their DevOps Environments.” The webinar will cover The recently-released CISO View report and provide practical guidance on DevOps security based on insights from CISOs at Global 1000 companies and other experts.