Infrastructure Insights
Showing results for 
Search instead for 
Do you mean 

DevOps tools: Spotting and mitigating the security risks

Insights_Guest on ‎10-08-2015 09:00 AM

By: Ben Lovejoy

 

You might expect DevOps tools like Puppet and Chef to increase the security of your systems. Consider the Heartbleed bug: while many organizations were left trying to manually track down all their in-use systems running the affected version of Open SSL, DevOps environments were able to use automated tools to quickly identify and then patch the relevant systems. What could have taken weeks was accomplished in less than an hour.

 

A double-edged sword

But DevOps tools can also introduce new risks. For example, a Chef cookbook may itself be compromised, and you may be unwittingly pushing out that sketchy code to all your systems. The very speed with which you can do this may mean that by the time the problem is revealed, the code has been installed on every one of your systems.

 

Given the permissions such tools need to do their job, compromised code can wreak havoc with your systems. Think about it: if a tool can modify configurations, it can do almost anything it likes, such as add accounts, download confidential data, weaken or disable a firewall, modify a database, or simply overwrite existing versions of software with ones containing known vulnerabilities that can be subsequently exploited. There's virtually no limit to the damage a hacker could do by infiltrating compromised DevOps tools.

 

Other tools may be perfectly benign, yet still include security risks. At the RSA conference earlier this year, experts identified other security risks of DevOps tools, including passing usernames and credentials in plain text. Those who create DevOps tools may be so focused on speed and efficiency that they don't think through the security implications of the approaches they take, causing enterprises to break their own security policies without even realizing they're doing so.

 

Not worth the risk

So what steps can you take to mitigate these risks? The first, and most obvious one, is to ensure that the tools you use—and any recipes you run using them—have been validated as secure. This can be done by putting the tools through the same security checks you would any other code allowed to run on critical systems. Test Kitchen, for example, can be used to ensure that Chef cookbooks don't contain broken code.

 

Second, consider small-scale rollouts of patches and updates before they're released to your systems en masse. That way, anything that does get past the security checks won't affect the entire enterprise. A brief pause to make sure all is well can be a simple but crucial safety measure.

 

Third, ensure that your contingency and disaster management processes can cope with inadvertent rollout of bad code across your networks. Make sure that in the worst case scenario, you would be able to roll back updates and patches without consequence.

 

Finally—and this is a bigger task, but one that shouldn't be viewed as optional—apply automation to your security processes to ensure that checks can't be bypassed by the automated rollout of new code.

 

For insights on using DevOps to accelerate the speed of your business check out the Infographic subtitled: Four keys to starting your DevOps journey.

 

 

Ben Lovejoy

 

Ben Lovejoy is EU Editor of 9to5Mac and 9to5Google and a freelance tech writer whose published credits include the Guardian, the Telegraph, the Sunday Times, the Express, and many regional newspapers. He's written for more than 30 computer & technology magazines, as well as numerous businesses, websites, and corporate clients.

Connect with Ben:

  @benlovejoy

0 Kudos
About the Author

Insights_Guest

Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Apr 18, 2017
Houston, TX
HPE Tech Days - 2017
Follow a group of tech bloggers for a new HPE Tech Day, a full day of sessions about how to create a hybrid IT, from hyperconverged to Composable Infr...
Read more
View all
//Add this to "OnDomLoad" event