Skip to main content
banner image
venafi logo

5 Best Practices to Secure Your Code Signing Process

5 Best Practices to Secure Your Code Signing Process

Code signing, code signing certificate, infosec
June 13, 2019 | Eddie Glenn


Last week, we discussed 5 things that might indicate that your company has a code signing problem. Remember, the problem isn’t with the code signing operation itself. Signing code is a well-recognized security best practice. But the way that you do it can make all the difference in the success of your code signing efforts. What you need to look at is how your company secures machine identities throughout your code signing process.



In this week’s blog, let’s take a look at 5 best practices that can help your company get your code signing problem under control.


#1: Establishing Global Visibility

The first step in securing the code signing process is for your InfoSec team to establish complete visibility across the enterprise for all code signing activities. You need to know critical information, such as:



  • Which code is being signed, no matter whether it is for internal only or external use
  • Which code signing certificates are being used, regardless of the certificate authority they come from, including internally generated certificates
  • Who signed code, which machine it was signed on, when it was signed, and which code signing tool was used
  • Who, if anyone, approved the code signing operation

#2: Centrally Securing all Code Signing Private Keys

The next step in establishing a secure code signing process is to move private code signing keys off of all developers’ computers, build servers, web servers, sticky notes, etc. Private keys should be stored in an encrypted, secure and centralized location. Private keys should never leave this location for any reason. You need to customize storage options for developers based on the type of code signing certificates that they are using. For example, extended validation (EV) certificates must be stored in a hardware security module (HSM). In addition, some compliance regulations may require that the secure storage reside within a certain location. Therefore, you may need to offer multiple secure locations.


#3: Defining and Enforcing Policy with Automation

One of the reasons that development teams resist corporate security policies is that the policies are often built around manual processes. This is particularly counter-intuitive for DevOps teams that are developing at speed and scale. Manual processes simply don’t match the requirements of their projects. Because of this, you should provide a code signing platform that allows every development team to define their own code signing policies and workflows, such as:


  • Who is authorized to sign code
  • What code signing tools are authorized to be used
  • Which types of certificates are allowed
  • Who must approve (based on certificate type or phase of software development)


That platform should also be able to automatically enforce those defined policies through workflow automation. Integrating with third-party code signing tools that developers already use helps ensure easy adoption. You will want to pay particular attention to integrating with corporate platforms such as active directory, ticketing systems, and other SIEM tools.


#4: Being a Hero, Not an Obstacle

In many cases, managing their own code signing infrastructure, requests for code signing certificates, renewals and more is a burden for your software development teams. You will help them achieve more secure software delivery if you are able to replace this burden with an automated, flexible platform that supports their unique needs. Furthermore, your developers will require a solution that does not add additional burden like rewriting build scripts, installing memory-resident programs, learning new tools, or slowing down their automated build processes by requiring code be offloaded to a central server for signing.


#5: Showing Compliance—Always

Your function is to secure your company’s information, including code signing credentials. A part of the success of this effort will be showing that you are effectively achieving the end goal. It’s important that you can demonstrate that you have a secured code signing process across the entire enterprise. By having an irrefutable record of all code signing operations—such as knowing where all private keys are stored and knowing that policies are always enforced—helps you ensure compliance.


Are you following these best practices for your code signing process?



Related posts

Like this blog? We think you will love this.
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Eddie Glenn
Eddie Glenn

Eddie is the Product Marketing Manager over Code Signing at Venafi. A product marketing professional in SaaS, Enterprise, and Embedded Software, he has a strong technical background and experience with inbound and outbound marketing, business and marketing strategy, and marketing operations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more