Skip to main content
banner image
venafi logo

Can Code Signing Be Both Fast and Secure?

Can Code Signing Be Both Fast and Secure?

man in a car
August 1, 2019 | Eddie Glenn

 

Do we really have to choose between a Bugatti and a Volvo?

 

We are taught that life is about choices and sacrifice. Eat the celery or the cheesecake. Get good grades or have fun. Have a successful career or a family. When it comes to buying cars, choice and sacrifice couldn’t be clearer. Buy a car that is safe or buy a car that is fun (and just to be clear, I equate fast with fun).

In business, we often have to make choices and sacrifice one priority for another. Grow revenue more quickly or reduce costs. Add more product features or release a product sooner. These decisions can be tough. In addition, depending where you are in the organization, your priorities (choice and willingness to sacrifice) are likely to be very different from those of that department on the other floor.


When you look at the priorities of the product development organization and the InfoSec team, these differences couldn’t be any bigger. Development teams, under constant pressure from management, competition, are trying to get more products with more features out the door faster than ever. Their priorities and sacrifices are clear: go faster at the expense of security.


InfoSec is also under pressure, but pressure of a different sort. Cybercriminal activity is at an all-time high. Cybercriminals are becoming more creative and bolder. CISOs and InfoSec teams are losing their jobs when a security breach occurs. Their priorities and sacrifices are also clear: increase security, regardless of impact on the speed of the business.


Let’s dive in a little deeper and discuss how these competing priorities manifest themselves when it comes to code signing (don’t know what code signing is? Check out this great resource!). Code signing itself is a simple operation often performed by a free utility provided within a software development environment. However, it’s the process and people involved with code signing that can cause problems.

 

How can you improve your code signing process? Read the solution brief.

 

InfoSec is acutely aware of the risks around stolen or misused code signing keys. They know that this can potentially cause great damage to the organization. Too many recently publicized incidents have also alerted the C-Suite too. InfoSec’s response? Protect these keys at all costs. Establish rigorous processes. Require that their team handle all code signing activities. Move all keys into one central location, accessible only by them.


But this priority has a consequence on the development organization. What they deem to be heavy-handed processes and procedures are slowing them down. They can’t get product out the door as fast as they need to. So, what do they do? They start finding ways to circumvent the system. They obtain their own code signing certificates and keys, or they altogether skip signing code that probably should be signed.

What’s the consequence of this on the InfoSec team? Increased risks for the organization, including private key sprawl and lack of visibility into code signing.


What if you didn’t have to sacrifice speed for security or security for speed? What if you could have the safety of Volvo built into a Bugatti or the speed of a Bugatti built into a Volvo?


When Venafi launched its Next-Gen Code Signing solution earlier this year, we were excited to provide a solution that offered both speed to development teams along with improved security for the InfoSec teams. And we didn’t stop there. We added in flexibility and scalability, something that today’s businesses also require.


Our solution is a hybrid approach to code signing. A part of the code signing operation occurs locally where the development teams are building their software, but the private code signing key used remains protected in a secure, centralized location.


Why is this faster for development teams? They continue to use the same code signing tools they have always used. There is no need to learn new tools or modify existing build automation. Code signing isn’t slowed down because the entire executable is being uploaded to a central server or being hand delivered on a USB stick across the building. Developers don’t have to manage their own certs or keys. Different code signing processes and workflows can be defined for different software projects and phases of the software lifecycle.


Why is this more secure for InfoSec teams? By providing an automated service that offers value to the development team without slowing them down, there is less likelihood that the development team will circumvent the system which will reduce private key sprawl. Resources previously assigned to supporting code signing can be freed up for other InfoSec priorities. Policy enforcement and process are automated ensuring that future audits are clean.


Venafi Next-Gen Code Signing offers a win/win solution to both InfoSec teams and product development teams. There is no need to sacrifice one for the other. You can have that Bugatti/Volvo hybrid car after all.


Learn more about machine identity protection. Explore now.
 

Related posts

 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

The Problem with Code Signing Private Key Sprawl

The Problem with Code Signing Private Key Sprawl

Code signing, code signing, certificate

Top 5 Indicators that Your Company Might Have a Code Signing Problem

code signing, private keys, pki

Code Signing Credentials Are Machine Identities and Need to Be Protected

About the author

Eddie Glenn
Eddie Glenn
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat