AI Insights
Showing results for 
Search instead for 
Did you mean: 

DevOps tools: Spotting and mitigating the security risks


By: Ben Lovejoy


DevOps ToolsYou might expect DevOps tools like Puppet and Chef to increase the security of your systems. Consider the Heartbleed bug: while many organizations were left trying to manually track down all their in-use systems running the affected version of Open SSL, DevOps environments were able to use automated tools to quickly identify and then patch the relevant systems. What could have taken weeks was accomplished in less than an hour.


A double-edged sword

But DevOps tools can also introduce new risks. For example, a Chef cookbook may itself be compromised, and you may be unwittingly pushing out that sketchy code to all your systems. The very speed with which you can do this may mean that by the time the problem is revealed, the code has been installed on every one of your systems.


Given the permissions such tools need to do their job, compromised code can wreak havoc with your systems. Think about it: if a tool can modify configurations, it can do almost anything it likes, such as add accounts, download confidential data, weaken or disable a firewall, modify a database, or simply overwrite existing versions of software with ones containing known vulnerabilities that can be subsequently exploited. There's virtually no limit to the damage a hacker could do by infiltrating compromised DevOps tools.


Other tools may be perfectly benign, yet still include security risks. At the RSA conference earlier this year, experts identified other security risks of DevOps tools, including passing usernames and credentials in plain text. Those who create DevOps tools may be so focused on speed and efficiency that they don't think through the security implications of the approaches they take, causing enterprises to break their own security policies without even realizing they're doing so.


Not worth the risk

So what steps can you take to mitigate these risks? The first, and most obvious one, is to ensure that the tools you use—and any recipes you run using them—have been validated as secure. This can be done by putting the tools through the same security checks you would any other code allowed to run on critical systems. Test Kitchen, for example, can be used to ensure that Chef cookbooks don't contain broken code.


Second, consider small-scale rollouts of patches and updates before they're released to your systems en masse. That way, anything that does get past the security checks won't affect the entire enterprise. A brief pause to make sure all is well can be a simple but crucial safety measure.


Third, ensure that your contingency and disaster management processes can cope with inadvertent rollout of bad code across your networks. Make sure that in the worst case scenario, you would be able to roll back updates and patches without consequence.


Finally—and this is a bigger task, but one that shouldn't be viewed as optional—apply automation to your security processes to ensure that checks can't be bypassed by the automated rollout of new code.


For insights on using DevOps to accelerate the speed of your business check out the Infographic subtitled: Four keys to starting your DevOps journey.



About the author

Ben LovejoyBen Lovejoy


Ben Lovejoy is EU Editor of 9to5Mac and 9to5Google and a freelance tech writer whose published credits include the Guardian, the Telegraph, the Sunday Times, the Express, and many regional newspapers. He's written for more than 30 computer & technology magazines, as well as numerous businesses, websites, and corporate clients.

About the author

Connect with Ben:

 Follow me on Twitter @benlovejoy

0 Kudos
About the Author