Skip to main content
banner image
venafi logo

DevOps and Security: Code Signing Disconnect

DevOps and Security: Code Signing Disconnect

code signing and DevOps
October 9, 2019 | Scott Carter


In most organizations, DevOps business is not being run by security. It's being run by a group of developers. Yes. They're using all sorts of cool stuff to create amazing apps for the business. They're marketing wise and doing very exciting work. But if organizations don't know how the certificates for these applications are being signed, then these groundbreaking development efforts may become somewhat tarnished.  

Not to diminish from the amazing work they do, but the main concern of developers is not security. If fact, they don’t much care about security. What they care about is doing whatever they've got to do to launch whatever it is they've got to get launched. In this high-paced environment, it’s easy for security to become an afterthought.

Is Security an Afterthought?

But it’s not just the developers who are not security focused. Sometimes it seems that no one is scrutinizing security all that carefully in DevOps. If the developers are not being told "sign the code" and which certificate authority (CA) to use to sign it with, they either won’t sign it or they'll spin up a self-signed CA within the DevOps environment to do the signing. So, it's not their fault, it's just that the people that understand PKI are generally not the people that are going to take care of the provisioning of DevOps certificates. That's the problem.



Indeed, many developers are unable to answer the questions that security folks routinely ask. Questions like which CA is actually issuing the certificates. Who's managing that process? Who’s determining the certificate attributes? How secure is it? If organizations are not tracking all those DevOps certificates correctly and managing them well, they won’t know if any have been revoked, who’s signing the active certificates, or if they are even being signed at all.

In fact, some of these organizations don't even know whether they're using certificates in DevOps. They don't even know if the microservices and containers have got certificates on them. And they often don't understand why they need certificates. They wonder why they would bother with a certificate if the code is inside a container. They don’t really think about how the code is performing all these functions, and how it's transmitting all this data that needs to be secured.

"Some of organizations don't know if they're using certificates in DevOps"

Even more important, organizations need to know that the code they are trusting is legitimate. They need assurances that the code was implemented by a bona fide developer, not by some hacker somewhere that can then insert that piece of code inside the app to drain all the valuable data somewhere else.

Case in point, there was an attacker a few months ago that created a new containerized app for a brand, and it was a replica of a legitimate banking app. So, bank customers downloaded it thought they were downloading the legitimate banking app, when all it was actually doing was diverting their data and transactions to an undisclosed location. As a result, some bank accounts got drained fairly quickly, which was a huge problem for the bank even though it wasn’t their fault. It was just easier for the customers to blame the bank.


The Wild West of Code Signing

The reality is that most containers are not particularly well protected, especially on Android. And if an organization doesn't know whether they're signing their code or not (or if so, whether the code is signed by a trusted source), then it's a fairly sort of wild west environment to be in.

In the words of my esteemed former colleague, Terrie Anderson, “What organizations are left with is a scenario like this: They've got all these machine identities created by DevOps and they don't know exactly what they are. They simply don't know what they don't know. So, they end up with tons of machine identities that are floating around out there. But they may not even know if they've got machine identities in DevOps. If they have got them, they hope they're out there, and they hope they're valid, and they hope that they're correctly linked, and they hope that they're secure. But hope is not a great thing to run an enterprise IT environment off. In fact, hope is not a strategy at all.”

Do you know how secure is your code signing process for DevOps?



Related posts


Like this blog? We think you will love this.
Featured Blog

What Is the Difference Between a Public Key and a Private Key?

Symmetric and asymmetric encryption

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more