venafi next-gen code signing · developer productivity. venafi next-gen code signing offers these...
TRANSCRIPT
1©2019 Venafi, Inc. All rights reserved.
// Venafi Next-Gen Code Signing
Code signing has been used for decades as a method to verify the integrity of software. It confirms the software’s original author and guarantees the code has not been corrupted, for example, with malware. Because code signing certificates are used to confirm that code is trustworthy, cybercriminals steal code signing credentials from legitimate companies to sign their malicious code. This keeps malware from triggering any warnings, and unsuspecting users will trust that the application is safe to install and use.
Code signing is a common practice, but businesses often leave their code signing credentials unprotected, making them easy to steal and use in attacks. What’s the result? Malicious code appears to be issued by a trusted company, causing significant brand damage to the company that had its code signing credentials stolen. To make matters worse, with time-stamping, malware signed with a stolen code signing credential is effectively valid indefinitely.
Simply signing code is insufficient. Businesses need to secure the complete end-to-end code signing process:
• Enterprisewide visibility into code signing activities
• Private keys stored and kept in a secure location
• Automated workflow enforcement
Plus, enterprises need all of this without sacrificing developer productivity. Venafi Next-Gen Code Signing offers these capabilities and more.
DATA SHEET
Venafi Next-Gen Code Signing at a Glance
Venafi Next-Gen Code Signing secures enterprise code signing processes by providing centralized key storage and policy enforcement while also reducing the burden on development teams.
• Delivers enterprisewide visibility of codesigning activities
• Enforces and automates code signing policiesand certificate usage
• Secures code signing private keys
• Integrates with popular CAs, HSMs andsoftware development tool chains
By combining visibility and intelligence with workflow automation and controls, Next-Gen Code Signing protects against unauthorized use of code signing certificates while providing an audit trail of all code signing activities.
Benefits
• Eliminates risks from unsecured private keysand private key sprawl
• Ensures code signing security with policyenforcement and reporting
• Improves efficiency through distributed signingand automation of requests and approvals
• Eliminates code signing delays
Delivers a secure enterprise code signing process that doesn’t impact developers and extends machine identity protection to all used and developed code
2©2019 Venafi, Inc. All rights reserved.
• Who signed the code?
• When was it signed?
• What credentials were used to sign the code?
• What code signing tools were used to sign the code?
• Who, if anyone, approved the code to be signed?
Lack of Policy Enforcement
Many development teams are responsible for signing their own code. Because of this, it can be difficult to enforce established code signing approvals and workflow processes. Furthermore, different software projects and stages of software development may require different code signing processes, making consistent, yet stage-specific, policy enforcement difficult.
The Solution: Venafi Next-Gen Code Signing
Venafi Next-Gen Code Signing secures enterprise code signing by combining these elements:
• A central, permanent storage location for private keys where they can remain protected
• Comprehensive visibility and detailed intelligence to track all code signing activities
• Flexible, consistent and customizable policy enforcement
• Automation and support for developer processes
• Scalability that addresses enterprise code signing requirements today and as digital transformation continues
The result is assurance that code signing credentials are protected from unauthorized internal or external use by leveraging a solution that enables development and InfoSec teams to work together more efficiently.
Secure, Centralized Storage
Venafi Next-Gen Code Signing provides secure, centralized storage for all code signing private keys. No matter which code signing tools development teams use, private keys remain secure and never leave the trusted Venafi storage platform or a connected HSM.
Challenges
As part of their responsibility to secure the company, InfoSec teams need to secure all code signing credentials used in the company. To do this, however, they must ensure the entire code signing process is secure and be able to deliver an auditable record of all code signing activities. But achieving this can be challenging. Software development teams often view code signing processes as interfering with their need to be agile. They do not want their efforts stymied by labor-intensive, time-consuming processes or specialized signing tools. Yet without a secure code signing process, enterprises have difficulty in protecting code signing credentials from theft and misuse.
Unprotected Private Keys
When dealing with large, dispersed and agile development teams, it can be difficult to properly secure all code signing private keys while meeting the demands for high-speed and quality code software delivery. Development teams may not appreciate the risks unsecured keys pose to the organization and may store them in convenient but less secure locations, including their own personal workstations, build servers or webservers. Even a single compromised key can put the organization at risk.
Some organizations have recognized the need to protect private keys using secure, centralized key storage. However, most of these organizations have implemented solutions that are unacceptable for developers. When protecting private keys, most enterprises do not use automation and often use solutions that require code to be uploaded to a central server to be signed. Both approaches lead to delays and poor performance.
Lack of Enterprisewide Visibility
When teams, certificates and code signing activities are dispersed around the enterprise without a next-gen code signing solution, it is impossible to have the visibility needed to secure code signing processes.
Organizations need answers to the following code signing questions:
3©2019 Venafi, Inc. All rights reserved.
used. Policy definitions can be assigned on a project-by-project level basis, assuring that proper usage and approvals processes are applied based on the needs of each project. This is accomplished through automation, eliminating the need for developers to learn and use new code signing tools.
Software Developer Friendly
Venafi Next-Gen Code Signing plugs directly into native code signing tools provided by most software development environments. Therefore, no changes are needed to any software build scripts to begin using Next-Gen Code Signing. Plus, signing operations occur locally, eliminating the need to transfer large executables to a central service. Consequently, there is no increase in the time it takes to perform a signing operation.
By providing an automated code signing service, the hassle and overhead of personally managing and requesting code signing certificates is eliminated, improving efficiency.
Global Visibility and Intelligence
Venafi Next-Gen Code Signing acts as a bridge:
• For code signing activities across an entire organization
• For certificates from different CAs
• For the use of different HSMs
With comprehensive visibility, enterprises gain detailed intelligence, including who has signed what code with which certificate, who approved the request, and when it all occurred.
Using the detailed intelligence gathered, Venafi Next-Gen Code Signing provides compliance and audit reporting that includes all code signing activities.
Consistent Policy Enforcement
Using Venafi Next-Gen Code Signing, project owners can control code signing policy definitions. They can define who approves requests, who can access the certificates and what code signing tools can be
Venafi Platform
Next-Gen Code Signing
User Interface Layer: REST API | Web UI
Approval Flow Policy Reporting
Revocation Enrollment Generation
Signing Notification Monitoring Auditing
System Integration Layer
Dev Group A with Desktops
Developers with Build Farms
Dev Group B with Desktops
EmailSystem
CertificateAuthorities
HSMappliances
Auditor Admin Approver
SIEM
Figure 1. How Venafi Next-Gen Code Signing Supports Enterprise Code Signing Processes
4©2019 Venafi, Inc. All rights reserved.
Secure Private Key Storage and Usage
Centralized Key Storage
• Securely store all code signing private keys across the enterprise• Use a built-in encrypted database or integrate with leading HSM providers• Seamlessly integrate with cryptographic operations supported by mainstream
HSM appliances
Single Copy of Private Keys
• Prevent private keys from ever leaving the trusted storage location• Block any entity from obtaining a copy of the private keys
Security Compliance
• Support multiple HSM instances deployed in different regional territories that are subject to a variety of jurisdictional requirements
Global Visibility and Intelligence
Single Repository
• Maintain a single pane-of-glass view of all enterprise code signing operations and signing assets across the entire organization
• Monitor and notify your team of any abnormalities or noteworthy events
Regulatory Compliance
• Maintain a record of all code signing activities
• Know who signed what code using which certificate• Know who approved the signing request• Know which code signing application was used• Know when the signing took place• Know who approved the request
• Backtrack to identify accountability for assigning transactions and involved assets
Signing Operation Validation
• Validate that a piece of code or software is properly signed through the established, controlled process
• Show that risky negligence or slip through has been eliminated
Comprehensive Reporting
• Deliver reports to executives and asset stakeholders to ensure timely visibility• Apply customizable report filters, column selection, sorting and formatting (CSV or PDF)
Action-Based Dashboard
• Identify signing activity, asset risk and anomalies via customizable dashboards• Maintain an always up-to-date snapshot of interesting asset trends• Leverage trend graphs to detect risks and track remediation progress
Scalable and Flexible
Venafi Next-Gen Code Signing is integrated with the Venafi Platform, the leading solution for machine identity protection. The platform supports any size organization, from those with hundreds of code
signing operations a month to those with tens of millions. Using integrations with multiple CAs, HSMs and software development tools, along with a proven scalable and reliable architecture, Venafi Next-Gen Code Signing is ideal for even the most complex and large organizations.
How It Works
5©2019 Venafi, Inc. All rights reserved.
Consistent Policy Enforcement
Establishing Policies
• Define code signing policies on a project-by-project basis and on a software development phase-by-phase basis
• Enforce defined or customized approval workflows on the signing requests
Access Control and Accountability
• Assign ownership of specific code signing projects• Specify which certificates may be used• Specify who can sign code • Specify which code signing tools are authorized• Specify what approval, if any, is required before the key can be used
SIEM/Alerts • Deliver alerts and notifications via email, syslog, SNMP, Splunk, file, ServiceNow and more
Streamlined and Automated Management of Code signing Process
CA Flexibility • Leverage integration of direct certificate issuance with leading commercial CAs• Address unique organizational needs using an integration framework
Private CA Import
• Automatically import code signing certificates from one or more Microsoft CAs (AD CS)
• Schedule imports to take place at specific intervals
Automated Certificate Lifecycle Management
• Automate certificate issuance, renewals and revocation• Eliminate the need for developers to manually perform these tasks
Developer-Friendly Approach
• Work seamlessly with existing software development workflows and tools, and code signing tools
• Get fast signing on the local build machine that eliminates the need to upload code to a service
Automation with Pipeline
• Fit client virtualization and containerization into DevOps practices without any specialized knowledge
6©2019 Venafi, Inc. All rights reserved.
The Venafi Platform
The Venafi Platform delivers the machine identity and risk intelligence necessary to automatically safeguard machine-to-machine communications. It secures keys and certificates—SSL/TLS, SSH, mobile endpoint, user and code signing—that serve as machine identities and continuously collects the comprehensive intelligence needed to accurately assess security and availability risks and their remediation.
Venafi Next-Gen Code Signing is part of the Venafi Platform, extending protection of machine identities to secure code signing processes.
The Venafi Platform is a mature solution:
• Scales up to 1 million certificates with load-balanced architecture
• Is supported by over 30 machine identity-related patents
• Is Common Criteria Certified
• Uses network zone partitioning
• Enables multifactor authentication and single sign-on
Next Steps
Are you concerned that your company’s code signing machine identities are vulnerable? Venafi Next-Gen Code Signing can protect private keys, increase your visibility and enforce policy without adding a burden to your software development teams. Contact Venafi to learn how Venafi Next-Gen Code Signing can secure your code signing processes.
Visit www.venafi.com
Trusted by:
5 OF THE 5 Top U.S. Health Insurers 5 OF THE 5 Top U.S. Airlines 3 OF THE 5 Top U.S. Retailers 3 OF THE 5 Top Accounting/Consulting Firms4 OF THE 5 Top Payment Card Issuers 4 OF THE 5 Top U.S. Banks 4 OF THE 5 Top U.K. Banks 4 OF THE 5 Top S. African Banks 4 OF THE 5 Top AU Banks
About Venafi
Venafi is the cybersecurity market leader in machine identity protection, securing the cryptographic keys and digital certificates on which every business and government depends to deliver safe machine-to-machine communication. Organizations use Venafi key and certificate security to protect communications, commerce, critical systems and data, and mobile and user access.
To learn more, visit www.venafi.com