Venafi Next-Gen Code Signing · developer productivity. Venafi Next-Gen Code Signing offers these capabilities and more. DATA SHEET. Venafi Next-Gen Code Signing at a Glance. Venafi

1©2019 Venafi, Inc. All rights reserved.

// Venafi Next-Gen Code Signing

Code signing has been used for decades as a method to verify the integrity of software. It confirms the software’s original author and guarantees the code has not been corrupted, for example, with malware. Because code signing certificates are used to confirm that code is trustworthy, cybercriminals steal code signing credentials from legitimate companies to sign their malicious code. This keeps malware from triggering any warnings, and unsuspecting users will trust that the application is safe to install and use.

Code signing is a common practice, but businesses often leave their code signing credentials unprotected, making them easy to steal and use in attacks. What’s the result? Malicious code appears to be issued by a trusted company, causing significant brand damage to the company that had its code signing credentials stolen. To make matters worse, with time-stamping, malware signed with a stolen code signing credential is effectively valid indefinitely.

Simply signing code is insufficient. Businesses need to secure the complete end-to-end code signing process:

• Enterprisewide visibility into code signing activities

• Private keys stored and kept in a secure location

• Automated workflow enforcement

Plus, enterprises need all of this without sacrificing developer productivity. Venafi Next-Gen Code Signing offers these capabilities and more.

DATA SHEET

Venafi Next-Gen Code Signing at a Glance

Venafi Next-Gen Code Signing secures enterprise code signing processes by providing centralized key storage and policy enforcement while also reducing the burden on development teams.

• Delivers enterprisewide visibility of codesigning activities

• Enforces and automates code signing policiesand certificate usage

• Secures code signing private keys

• Integrates with popular CAs, HSMs andsoftware development tool chains

By combining visibility and intelligence with workflow automation and controls, Next-Gen Code Signing protects against unauthorized use of code signing certificates while providing an audit trail of all code signing activities.

Benefits

• Eliminates risks from unsecured private keysand private key sprawl

• Ensures code signing security with policyenforcement and reporting

• Improves efficiency through distributed signingand automation of requests and approvals

• Eliminates code signing delays

Delivers a secure enterprise code signing process that doesn’t impact developers and extends machine identity protection to all used and developed code

2©2019 Venafi, Inc. All rights reserved.

• Who signed the code?

• When was it signed?

• What credentials were used to sign the code?

• What code signing tools were used to sign the code?

• Who, if anyone, approved the code to be signed?

Lack of Policy Enforcement

Many development teams are responsible for signing their own code. Because of this, it can be difficult to enforce established code signing approvals and workflow processes. Furthermore, different software projects and stages of software development may require different code signing processes, making consistent, yet stage-specific, policy enforcement difficult.

The Solution: Venafi Next-Gen Code Signing

Venafi Next-Gen Code Signing secures enterprise code signing by combining these elements:

• A central, permanent storage location for private keys where they can remain protected

• Comprehensive visibility and detailed intelligence to track all code signing activities

• Flexible, consistent and customizable policy enforcement

• Automation and support for developer processes

• Scalability that addresses enterprise code signing requirements today and as digital transformation continues

The result is assurance that code signing credentials are protected from unauthorized internal or external use by leveraging a solution that enables development and InfoSec teams to work together more efficiently.

Secure, Centralized Storage

Venafi Next-Gen Code Signing provides secure, centralized storage for all code signing private keys. No matter which code signing tools development teams use, private keys remain secure and never leave the trusted Venafi storage platform or a connected HSM.

Challenges

As part of their responsibility to secure the company, InfoSec teams need to secure all code signing credentials used in the company. To do this, however, they must ensure the entire code signing process is secure and be able to deliver an auditable record of all code signing activities. But achieving this can be challenging. Software development teams often view code signing processes as interfering with their need to be agile. They do not want their efforts stymied by labor-intensive, time-consuming processes or specialized signing tools. Yet without a secure code signing process, enterprises have difficulty in protecting code signing credentials from theft and misuse.

Unprotected Private Keys

When dealing with large, dispersed and agile development teams, it can be difficult to properly secure all code signing private keys while meeting the demands for high-speed and quality code software delivery. Development teams may not appreciate the risks unsecured keys pose to the organization and may store them in convenient but less secure locations, including their own personal workstations, build servers or webservers. Even a single compromised key can put the organization at risk.

Some organizations have recognized the need to protect private keys using secure, centralized key storage. However, most of these organizations have implemented solutions that are unacceptable for developers. When protecting private keys, most enterprises do not use automation and often use solutions that require code to be uploaded to a central server to be signed. Both approaches lead to delays and poor performance.

Lack of Enterprisewide Visibility

When teams, certificates and code signing activities are dispersed around the enterprise without a next-gen code signing solution, it is impossible to have the visibility needed to secure code signing processes.

Organizations need answers to the following code signing questions:

3©2019 Venafi, Inc. All rights reserved.

used. Policy definitions can be assigned on a project-by-project level basis, assuring that proper usage and approvals processes are applied based on the needs of each project. This is accomplished through automation, eliminating the need for developers to learn and use new code signing tools.

Software Developer Friendly

Venafi Next-Gen Code Signing plugs directly into native code signing tools provided by most software development environments. Therefore, no changes are needed to any software build scripts to begin using Next-Gen Code Signing. Plus, signing operations occur locally, eliminating the need to transfer large executables to a central service. Consequently, there is no increase in the time it takes to perform a signing operation.

By providing an automated code signing service, the hassle and overhead of personally managing and requesting code signing certificates is eliminated, improving efficiency.

Global Visibility and Intelligence

Venafi Next-Gen Code Signing acts as a bridge:

• For code signing activities across an entire organization

• For certificates from different CAs

• For the use of different HSMs

With comprehensive visibility, enterprises gain detailed intelligence, including who has signed what code with which certificate, who approved the request, and when it all occurred.

Using the detailed intelligence gathered, Venafi Next-Gen Code Signing provides compliance and audit reporting that includes all code signing activities.

Consistent Policy Enforcement

Using Venafi Next-Gen Code Signing, project owners can control code signing policy definitions. They can define who approves requests, who can access the certificates and what code signing tools can be

Venafi Platform

Next-Gen Code Signing

User Interface Layer: REST API | Web UI

Approval Flow Policy Reporting

Revocation Enrollment Generation

Signing Notification Monitoring Auditing

System Integration Layer

Dev Group A with Desktops

Developers with Build Farms

Dev Group B with Desktops

EmailSystem

CertificateAuthorities

HSMappliances

Auditor Admin Approver

SIEM

Figure 1. How Venafi Next-Gen Code Signing Supports Enterprise Code Signing Processes

4©2019 Venafi, Inc. All rights reserved.

Secure Private Key Storage and Usage

Centralized Key Storage

• Securely store all code signing private keys across the enterprise• Use a built-in encrypted database or integrate with leading HSM providers• Seamlessly integrate with cryptographic operations supported by mainstream

HSM appliances

Single Copy of Private Keys

• Prevent private keys from ever leaving the trusted storage location• Block any entity from obtaining a copy of the private keys

Security Compliance

• Support multiple HSM instances deployed in different regional territories that are subject to a variety of jurisdictional requirements

Global Visibility and Intelligence

Single Repository

• Maintain a single pane-of-glass view of all enterprise code signing operations and signing assets across the entire organization

• Monitor and notify your team of any abnormalities or noteworthy events

Regulatory Compliance

• Maintain a record of all code signing activities

• Know who signed what code using which certificate• Know who approved the signing request• Know which code signing application was used• Know when the signing took place• Know who approved the request

• Backtrack to identify accountability for assigning transactions and involved assets

Signing Operation Validation

• Validate that a piece of code or software is properly signed through the established, controlled process

• Show that risky negligence or slip through has been eliminated

Comprehensive Reporting

• Deliver reports to executives and asset stakeholders to ensure timely visibility• Apply customizable report filters, column selection, sorting and formatting (CSV or PDF)

Action-Based Dashboard

• Identify signing activity, asset risk and anomalies via customizable dashboards• Maintain an always up-to-date snapshot of interesting asset trends• Leverage trend graphs to detect risks and track remediation progress

Scalable and Flexible

Venafi Next-Gen Code Signing is integrated with the Venafi Platform, the leading solution for machine identity protection. The platform supports any size organization, from those with hundreds of code

signing operations a month to those with tens of millions. Using integrations with multiple CAs, HSMs and software development tools, along with a proven scalable and reliable architecture, Venafi Next-Gen Code Signing is ideal for even the most complex and large organizations.

How It Works

5©2019 Venafi, Inc. All rights reserved.

Consistent Policy Enforcement

Establishing Policies

• Define code signing policies on a project-by-project basis and on a software development phase-by-phase basis

• Enforce defined or customized approval workflows on the signing requests

Access Control and Accountability

• Assign ownership of specific code signing projects• Specify which certificates may be used• Specify who can sign code • Specify which code signing tools are authorized• Specify what approval, if any, is required before the key can be used

SIEM/Alerts • Deliver alerts and notifications via email, syslog, SNMP, Splunk, file, ServiceNow and more

Streamlined and Automated Management of Code signing Process

CA Flexibility • Leverage integration of direct certificate issuance with leading commercial CAs• Address unique organizational needs using an integration framework

Private CA Import

• Automatically import code signing certificates from one or more Microsoft CAs (AD CS)

• Schedule imports to take place at specific intervals

Automated Certificate Lifecycle Management

• Automate certificate issuance, renewals and revocation• Eliminate the need for developers to manually perform these tasks

Developer-Friendly Approach

• Work seamlessly with existing software development workflows and tools, and code signing tools

• Get fast signing on the local build machine that eliminates the need to upload code to a service

Automation with Pipeline

• Fit client virtualization and containerization into DevOps practices without any specialized knowledge

6©2019 Venafi, Inc. All rights reserved.

The Venafi Platform

The Venafi Platform delivers the machine identity and risk intelligence necessary to automatically safeguard machine-to-machine communications. It secures keys and certificates—SSL/TLS, SSH, mobile endpoint, user and code signing—that serve as machine identities and continuously collects the comprehensive intelligence needed to accurately assess security and availability risks and their remediation.

Venafi Next-Gen Code Signing is part of the Venafi Platform, extending protection of machine identities to secure code signing processes.

The Venafi Platform is a mature solution:

• Scales up to 1 million certificates with load-balanced architecture

• Is supported by over 30 machine identity-related patents

• Is Common Criteria Certified

• Uses network zone partitioning

• Enables multifactor authentication and single sign-on

Next Steps

Are you concerned that your company’s code signing machine identities are vulnerable? Venafi Next-Gen Code Signing can protect private keys, increase your visibility and enforce policy without adding a burden to your software development teams. Contact Venafi to learn how Venafi Next-Gen Code Signing can secure your code signing processes.

Visit www.venafi.com

Trusted by:

5 OF THE 5 Top U.S. Health Insurers 5 OF THE 5 Top U.S. Airlines 3 OF THE 5 Top U.S. Retailers 3 OF THE 5 Top Accounting/Consulting Firms4 OF THE 5 Top Payment Card Issuers 4 OF THE 5 Top U.S. Banks 4 OF THE 5 Top U.K. Banks 4 OF THE 5 Top S. African Banks 4 OF THE 5 Top AU Banks

About Venafi

Venafi is the cybersecurity market leader in machine identity protection, securing the cryptographic keys and digital certificates on which every business and government depends to deliver safe machine-to-machine communication. Organizations use Venafi key and certificate security to protect communications, commerce, critical systems and data, and mobile and user access.

To learn more, visit www.venafi.com