Security Myths Debunked: 5 Things DevOps Need to Understand!

DevOps (developers and operations blended into a team) and DevSecOps (just add security to the mix) are staffed with state-of-the-art professionals. But even they don’t know everything, especially those new to the field.  

Nowhere is this truer than with security. Here are five things new DevOps pros should know, principles veterans should never forget and common security myths you should never fall for.

1. Misconfiguration is Your Enemy 

Even experienced IT pros sometimes fail to understand the true enemy and how they work. For instance, viruses, malware and attacks such as DDoS are seen as are most likely avenues into the network than other attacks. Meanwhile, perimeter defenses such as firewalls and intrusion detection and prevention are seen as keys to keeping the bad guys out. Anti-malware will indeed block a large swath of attacks and updating software will keep hacks that exploit old vulnerabilities from crippling your IT infrastructure. But the often unknown truth is the most common way cyber criminals breach your system is by exploiting misconfiguration. 

Don’t believe it? Well, here is what Gartner has to say:  

  • Misconfigurations were responsible for 99% of all firewall breaches through the end of 2023.  
  • Gartner also predicts that through 2025, over 99% of cloud breaches will be from misconfigurations or end user error.
  • “80% of cloud breaches are due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities,” said Neil Macdonald, Analyst – Gartner. 
Configuration management is the answer. “Configuration errors are a common source of hack attacks, not to mention threats to end user productivity and proper IT operations. IT configuration management aims to systematize configuration so only proven, tested and secure configurations are applied. For enterprises which must adhere to compliance regulations, configuration management is an absolute must have,” the Progress Chef  What is Configuration Management glossary page explained. “For security, making sure that permissions, privileges and credentials are all applied properly and consistently – each time – are security and compliance essential, as are implementing proper rules for device ports, firewalls, servers and other critical gear.” 

The Open Web Application Security Project (OWASP) also weighed in, saying that Security Misconfiguration is one of the top ten security issues. Here are some common mistakes OWASP pointed out:  

“Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services. Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges). 

  • Default accounts and their passwords are still enabled and unchanged. 
  • Error handling reveals stack traces or other overly informative error messages to users.
  • For upgraded systems, the latest security features are disabled or not configured securely.
  • The security settings in the application servers, application frameworks (e.g., Struts, Spring, ASP.NET), libraries, databases, etc., are not set to secure values.
  • The server does not send security headers or directives, or they are not set to secure values.
  • The software is out of date or vulnerable.” 

2. Not Taking Insider Threats Seriously (Including IT Itself) 

IT is the group enterprises turn to keep cyber threats at bay, including from traditional hackers working from outside the perimeter to malfeasance by company insiders.  

“People may think they are somehow immune to a data breach. They may put their trust in their security controls, thinking they have amazing, impenetrable defenses. They may put their trust in “flying under the radar” or believe they are too small to have a breach. But this kind of thinking largely assumes breaches come from the outside, from the “bad actors” that are external to the organization. What they fail to take into account is the risk of an insider breach,” argues the Verizon Data Breach Investigations Report. “The most common nonaccidental Internal actor breach is Privilege abuse. This is just what it sounds like—employees abusing the access they have been given to do their jobs to steal data instead. They are significantly more likely to do this for their own financial gain. We know, it’s a shocker.” 

While many security pros are getting hip to the insider threat, how often does IT look at its own ranks?  

While insiders are a threat because they already have network access, often with high privileges, IT deeply understands that network, knows where the valuable data lies and has admin privileges that often give them full access. 

Leveraging privilege abuse, admins, developers and other technical staffers are a source of data theft and other malfeasance — and when the techies strike, they can strike hard. 

3. Not Having a Cloud Security Posture Management (CSPM) Plan

The cloud is increasingly where an enterprise’s most precious data resides. Most IT professionals understand the Shared Responsibility Model where cloud security duties are divvyed up between the provider and the cloud user organization.  

“For SaaS solutions, a vendor provides the application and abstracts customers from the underlying components. Nonetheless, the customer continues to be accountable; they must ensure that data is classified correctly, and they share a responsibility to manage their users and end-point devices,” Microsoft argued in its  Shared Responsibilities for Cloud Computing whitepaper. “For SaaS solutions, a vendor provides the application and abstracts customers from the underlying components. Nonetheless, the customer continues to be accountable; they must ensure that data is classified correctly, and they share a responsibility to manage their users and end-point devices.”

The Role of IT in Cloud Security: The Shared Responsibility Model

That is a great starting point for cloud security. But DevOps minded shops should absolutely consider Cloud Security Posture Management. 

“Cloud Security Posture Management comprises all the security and compliance management tools an enterprise uses to maintain a secure multi-cloud environment without any misconfigurations or vulnerabilities,” explained the Progress Chef glossary page What is Cloud Security Posture Management?. “The CSPM approach begins by first analyzing your current cloud security posture and then devising a strategy and set of best practices that improve your cloud security posture and maintain it continuously via management. These best practices are supported by CSPM solutions that allow IT to identify and remediate risks and reduce misconfigurations in their cloud environments.” 

According to Gartner, Cloud Security Posture Management or CSPM solutions, “continuously manage IaaS and PaaS security posture through prevention, detection and response to cloud infrastructure risks. The core of CSPM offerings applies common frameworks, regulatory requirements and enterprise policies to proactively and reactively discover and assess risk/trust of cloud services configuration and security settings. If an issue is identified, remediation options (automated or human-driven) are provided,” Gartner’s What is Cloud Security Posture Management page explained. 

CSPM is best baked into the application development process from the get-go. “You can integrate CSPM into your development process, to ensure continuous visibility. CSPM is particularly beneficial for DevOps pipelines, which rely heavily on automation. With CSPM you can automate misconfiguration remediation, implement cloud compliance audits and benchmarks, and identify risks across your cloud infrastructure,” argued the Everything You Need to Know About CSPM blog. 

Secure apps don’t come as an afterthought but are designed and written that way from the very beginning. “A core tenet of DevOps is to do things at the point where it costs the least amount of money to fix. The earlier you can identify issues in the process of creating resources, the faster you can give feedback to the people who are creating and consuming resources in the cloud. DevSecOps solutions such as CSPM, IaC scanning and Policy as Code help organizations merge these processes and get people on the same page,” claimed the Chef What is DevOps blog. 

4. Ignore Internet of Things (IoT) at Your Own Risk 

IT likes to think it knows what it has for IT infrastructure and devices, but likely hidden from view are tens, hundreds or thousands of small intelligent connected devices commonly just called IoT. These devices can be a cybercriminal entry point into the network, such as serving as a launchpad for a DDoS attack or a malware vector. 

The trick is to have a policy, an enforceable one, that IT must be told about all IoT devices. But IT cannot rely on IoT devices being declared. Instead, IT needs a way to discover all items connected to the network. Once the issue is understood, having a plan to secure and manage these devices is the next, and perhaps most crucial, step. 

There are several IoT gotchas, according to CompTIA, including: 

  • Inadequate default settings: IoT devices that contain default settings may include default passwords and other settings that cannot be changed.
  • Non-existent upgrade paths: Sometimes, it is impossible to update the firmware or other information itself, making the device permanently toxic to healthy IoT networks.
  • The use of inappropriate technology: Many times, organizations will place powerful software onto an IoT device, even though such computing power is not necessary. For example, IoT manufacturers have placed complete Linux operating system on an IoT device, when only a portion was necessary. As a result, once the IoT device was compromised, it became a powerful weapon in the hands of an attacker.” 
Hackers love to use botnets to compromise IoT. “A botnet can include tens of thousands, or even millions of devices. Attackers can use these botnets to wage DDoS attacks or introduce malware to new victims. Many of the security breaches that find their way into the news are the results of botnets,” CompTIA argued on its What is IoT Cybersecurity page. 

5. Password Problems (With End Users and, Yes, Even IT!) 

IT is charged with creating and enforcing password policies. Here, complex passwords and MFA are increasingly de rigueur. However, IT itself often shirks its password responsibility. Sometime new devices are left weakly guarded by their old default passwords, which can be as simple as ‘password’.  

 In fact, IT, which needs access to perhaps dozens of different systems, avoids doing what it regularly preaches – using complex passwords and strong authentication.   

A Microsoft 365 management vendor learned this in a survey of M365 admins, “78% of Microsoft 365 admins are unmindful of security and data governance protocols and lack basic security protections, enabling hackers to crack these high-level accounts and make off with company credentials,” the survey found. “The survey research shows that approximately 78% of M365 administrators do not have multi-factor authentication (MFA) activated. According to the SANS Software Security Institute, 99% of data breaches can be prevented using MFA. This is a huge security risk, particularly during a time when so many employees are working remotely. 

Meanwhile, these same administrators have privileges beyond what they need, posing a serious IT insider threat. “M365 administrators are given excessive control, leading to increased access to sensitive information – 57% of global organizations have M635 administrators with excess permissions to access, modify, or share critical data. In addition, 36% of M365 administrators are Global Admins, meaning these administrators can essentially do whatever they want in M365,” the research discovered.  


Posted in:
Tags:

Doug Barney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.