Skip to main content
banner image
venafi logo

Can Code Signing Be Both Fast and Secure?

Can Code Signing Be Both Fast and Secure?

man in a car
August 1, 2019 | Eddie Glenn


Do we really have to choose between a Bugatti and a Volvo?


We are taught that life is about choices and sacrifice. Eat the celery or the cheesecake. Get good grades or have fun. Have a successful career or a family. When it comes to buying cars, choice and sacrifice couldn’t be clearer. Buy a car that is safe or buy a car that is fun (and just to be clear, I equate fast with fun).

In business, we often have to make choices and sacrifice one priority for another. Grow revenue more quickly or reduce costs. Add more product features or release a product sooner. These decisions can be tough. In addition, depending where you are in the organization, your priorities (choice and willingness to sacrifice) are likely to be very different from those of that department on the other floor.

When you look at the priorities of the product development organization and the InfoSec team, these differences couldn’t be any bigger. Development teams, under constant pressure from management, competition, are trying to get more products with more features out the door faster than ever. Their priorities and sacrifices are clear: go faster at the expense of security.

InfoSec is also under pressure, but pressure of a different sort. Cybercriminal activity is at an all-time high. Cybercriminals are becoming more creative and bolder. CISOs and InfoSec teams are losing their jobs when a security breach occurs. Their priorities and sacrifices are also clear: increase security, regardless of impact on the speed of the business.

Let’s dive in a little deeper and discuss how these competing priorities manifest themselves when it comes to code signing (don’t know what code signing is? Check out this great resource!). Code signing itself is a simple operation often performed by a free utility provided within a software development environment. However, it’s the process and people involved with code signing that can cause problems.



InfoSec is acutely aware of the risks around stolen or misused code signing keys. They know that this can potentially cause great damage to the organization. Too many recently publicized incidents have also alerted the C-Suite too. InfoSec’s response? Protect these keys at all costs. Establish rigorous processes. Require that their team handle all code signing activities. Move all keys into one central location, accessible only by them.

But this priority has a consequence on the development organization. What they deem to be heavy-handed processes and procedures are slowing them down. They can’t get product out the door as fast as they need to. So, what do they do? They start finding ways to circumvent the system. They obtain their own code signing certificates and keys, or they altogether skip signing code that probably should be signed.

What’s the consequence of this on the InfoSec team? Increased risks for the organization, including private key sprawl and lack of visibility into code signing.

What if you didn’t have to sacrifice speed for security or security for speed? What if you could have the safety of Volvo built into a Bugatti or the speed of a Bugatti built into a Volvo?

When Venafi launched its Next-Gen Code Signing solution earlier this year, we were excited to provide a solution that offered both speed to development teams along with improved security for the InfoSec teams. And we didn’t stop there. We added in flexibility and scalability, something that today’s businesses also require.

Our solution is a hybrid approach to code signing. A part of the code signing operation occurs locally where the development teams are building their software, but the private code signing key used remains protected in a secure, centralized location.

Why is this faster for development teams? They continue to use the same code signing tools they have always used. There is no need to learn new tools or modify existing build automation. Code signing isn’t slowed down because the entire executable is being uploaded to a central server or being hand delivered on a USB stick across the building. Developers don’t have to manage their own certs or keys. Different code signing processes and workflows can be defined for different software projects and phases of the software lifecycle.

Why is this more secure for InfoSec teams? By providing an automated service that offers value to the development team without slowing them down, there is less likelihood that the development team will circumvent the system which will reduce private key sprawl. Resources previously assigned to supporting code signing can be freed up for other InfoSec priorities. Policy enforcement and process are automated ensuring that future audits are clean.

Venafi Next-Gen Code Signing offers a win/win solution to both InfoSec teams and product development teams. There is no need to sacrifice one for the other. You can have that Bugatti/Volvo hybrid car after all.



Related posts


Like this blog? We think you will love this.
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Eddie Glenn
Eddie Glenn

Eddie is the Product Marketing Manager over Code Signing at Venafi. A product marketing professional in SaaS, Enterprise, and Embedded Software, he has a strong technical background and experience with inbound and outbound marketing, business and marketing strategy, and marketing operations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more