The global and independent platform for the SAP community.

DevOps—Underestimated Security Risks

More and more companies are using DevOps for efficient application deployment. DevOps promises a shorter time to market, a better product quality and higher levels of customer satisfaction. However, it also entails new security risks.
Michael Kleist, CyberArk
November 29, 2018
DevOps Column
avatar

Digital transformation needs high agility and increasingly promotes the use of DevOps environments. That’s because DevOps offers accelerated innovation, higher flexibility and reduced complexity in application development and deployment. With the implementation of DevOps, companies therefore want to primarily benefit their businesses. More often than not, however, they neglect security. A severe mistake, because DevOps significantly widens the attack surface for cyber criminals.

If companies use DevOps models, they also have to create more privileged accounts and login details and share them automatically via integrated business networks. Those details include service accounts, keys for encryption, API and SSH, secrets of containers or embedded passwords in the code of the program which is often also stored in central repositories.

The additional privileged login details connected to people, services and applications are an ideal target for an external attacker or a malicious insider. After all, they make it possible to control the whole IT infrastructure of a company.

The security risk is even higher if companies use various tools for orchestrating and automating. Tools for CI (continuous integration) and CD (continuous delivery) or source code repositories like GitHub are for example used in DevOps projects. The tools that DevOps Toolchain uses, like Ansible, Chef, Puppet and Jenkins, do not have a common standard, making it challenging for companies to establish individual, specific security measures for each and every tool.

Especially workflows for access management diverge greatly. Consequently, a lot of companies either do not have any strategies for access management, or they do, and they are inconsistent and inefficient. Security vulnerabilities are therefore a given.

How can we combat these developments?

One approach is an own DevOps security stack. Here, the IT security department has to be involved and has to systematically support DevOps teams in realizing a higher level of security. The collaboration of DevOps and security teams is therefore the first step for the successful creation of a scalable security platform and the implementation of a DevSecOps strategy which can keep up with the dynamic and the rapid pace of technology.

All DevOps tools and login details should be managed on such a security platform. Central, automated administration and storing of all login details used in a DevOps pipeline—for example API or encryption keys, data base passwords or transport layer security (TLS) certificates—are essential.

Of course, individual secrets which manage access in a DevOps production are also managed centrally and automatically. A vault—a highly available, secure system storage—should be used for the protection of all login details of machines, systems and people. This vault should essentially be a especially hardened server which can stop unauthorized access through various security layers.

avatar
Michael Kleist, CyberArk

Michael Kleist is Regional Director DACH at CyberArk in Düsseldorf.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

FourSide Hotel Salzburg,
Trademark Collection by Wyndham
Am Messezentrum 2, 5020 Salzburg, Austria
+43-66-24355460

Event date

Wednesday, June 10, and
Thursday, June 11, 2026

Early Bird Ticket

Regular ticket

EUR 390 excl. VAT
available until 1.10.2025
EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, April 22 and
Thursday, April 23, 2026

Tickets

Regular ticket
EUR 590 excl. VAT
Subscribers to the E3 magazine
reduced with promocode STAbo26
EUR 390 excl. VAT
Students*
reduced with promocode STStud26.
Please send proof of studies by e-mail to office@b4bmedia.net.
EUR 290 excl. VAT
*The first 10 tickets are free of charge for students. Try your luck! 🍀
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2026, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.