Venafi Debuts Next-Gen Code Signing

Venafi®, the inventor and leading provider of machine identity protection, announced the debut of Next-Gen Code Signing, a machine identity protection solution that secures code signing processes by delivering enterprise wide visibility into all code signing operations. Next-Gen Code Signing provides centralized private key storage, code signing policy enforcement, and automation while reducing code signing burden on software development teams.

For decades, code signing has been used to verify the integrity of software, and nearly every organization relies on it to confirm their code has not been corrupted with malware. Despite this, modern organizations often struggle to secure and protect code signing operations because they don’t have a solution that allows them to consistently enforce policies across locations, tools and processes without slowing down development teams.

“Today, every organization is a software developer building apps, libraries, containers and other tools,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi. “However, it can be very difficult to scale code signing operations. The security procedures that protect code signing are typically seen as cumbersome, and developers often ignore them. Unfortunately, this leaves security teams in the dark and it’s very advantageous for bad actors. Stolen code signing keys are powerful cyber weapons that put companies and their customers at risk. From Stuxnet to everyday malware and phishing campaigns, attacks that leverage code signing evade next-generation AV detection.”

In addition to securing enterprise code signing processes, Next-Gen Code Signing automates the management of all code signing private keys. Private code signing keys never leave the trusted Venafi storage platform or connected hardware security modules (HSMs). This new solution provides information security teams with comprehensive visibility and detailed intelligence about all aspects of code signing operations, including who signed the code and with which certificate, as well as who approved the request and when each action occurred. Using the intelligence gathered from code signing processes, Next-Gen Code Signing delivers compliance and audit reporting across all code signing activities.

Key benefits of Next-Gen Code Signing include:

  • Scalability that can support a few developers in one location to tens of thousands of developers distributed globally, and millions of code signing operations a week.
  • Automation and support for a broad range of software development processes; development teams do not need to change tools.
  • A central, permanent storage location for private keys so they remain protected.
  • Flexible, customizable policy enforcement that supports the needs of multiple software projects, including the approval of workflows, certificate types, certificate authorities, HSMs and software development tool sets.
  • Allows security teams to provide a code signing service that enforces policies and is transparent to developers.

Bocek concludes: “Next-Gen Code Signing lets software developers use the same code signing tools and does not require changes to their build environments. It provides an invisible layer of technology that keeps code signing keys safe and out of the hands of attackers. Venafi Next-Gen Code Signing gives security teams and developers an exciting way to be both fast and safe.”

Venafi Next-Gen Code Signing is available now. To learn more, please visit:
https://www.venafi.com/platform/code-signing.

Resources:

Data Sheet: Venafi Next-Gen Code Signing
Solution Brief: How InfoSec Can Secure the Code Signing Process
Blog: Next Gen Code Signing Takes Machine Identity Protection to the Next Level

About Venafi

Venafi is the cybersecurity market leader in machine identity protection, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, code signing, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise – on premises, mobile, virtual, cloud and IoT – at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

With over 30 patents, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 5000 organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; four of the top five U.S., U.K., Australian and South African banks; and four of the top five U.S. retailers. Venafi is backed by top-tier investors, including TCV, Foundation Capital, Intel Capital, QuestMark Partners, Mercato Partners and NextEquity.