DevOps with Open Source? For sure!
DevOps teams today are under high pressure to rapidly deliver new applications and services to drive digital transformation in the enterprise. They are helped by open source tools that work well together thanks to open interfaces and standards, and allow extensive automation of continuous integration and delivery (CI/CD) processes.
The tools are easy to evaluate and roll out, without support and - unfortunately - often without coordination with IT and security teams. But the attempt to produce new applications ever faster and provide them with updates at ever shorter intervals often leads to insecure practices - especially when dealing with confidential and privileged credentials such as passwords, API and SSH keys, and certificates.
For example, developers regularly embed credentials - such as those for accessing important databases or cloud services - directly in the program code or store them in configuration files. This is risky anyway, because code and configurations are usually stored in central repositories to which many different users have access. In the case of open source, which thrives on the community idea and the sharing of source code, there is also the risk that credentials leave the company unintentionally and make it easy to attack. The sharing of code is certainly desirable and important for the further development of open source software, but the credentials have no place in the code.
In addition, DevOps teams often use open source tools without sufficiently testing them for vulnerabilities and secure credential handling. Or they use third-party code that has not been sufficiently tested or is outdated. This presents security managers with the challenge of minimizing risks when using open source without slowing down DevOps teams in their work.
As a rule, they cannot rely on traditional security management solutions because they are designed for traditional software applications and development methods - and are therefore too slow, inflexible and complex for the agile development world. However, there are now modern solutions for secrets management, i.e. the control and management of privileged access to critical systems and between application parts, and these are also based on open source. These solutions protect the credentials of both technical identities and human users in DevOps environments and seamlessly integrate security into existing CI/CD processes.
Modern Secrets Management removes hard-coded credentials from applications and the scripts and configuration files of automation and configuration tools along the entire CI/CD pipeline and manages them centrally. It provides policy- and role-based access controls, credential rotation, and full documentation for audits.
It also checks requests from containers for credentials and releases them according to policy - something traditional security solutions usually fail to do due to the short lifespan of containers. New hosts in cloud environments are also assigned the appropriate identities by Secrets Management, so that DevOps-
Teams can use automatic scaling features and do not have to manually grant permissions to new hosts.
In summary, modern secrets management authenticates, controls, and audits all access centrally across tool stacks, container platforms, and cloud environments, thus breaking down security silos. Security teams can thus reliably protect all credentials, while DevOps teams can concentrate on their actual task: the development, maintenance and operation of applications.
