When Venafi’s CEO, Jeff Hudson, introduced the term fastsecure at the Machine Identity Management Global Summit 2021, there was a lot of head nodding across the team here at Futurex. In many tangible ways, fastsecure is a big part of what we do. To be sure, security is first and foremost, and speed is not far behind. Our hardware security modules (HSMs) meet or exceed the industry’s highest security standards and are a critical element in the fastsecure process.
In the world of machine identity management, fastsecure is focused on bridging the gap between DevOps and InfoSec. DevOps is all about rapid innovation, while InfoSec is about making sure developers don’t skip important security processes in the name of speed. It’s a balancing act and both sides need to be playing along for it to all come together seamlessly.
One area to achieve both goals is finding ways to harden code iterations without creating undue burdens on developers on the DevOps sides. Code signing—when implemented correctly—is an effective way to ensure code is trusted and hasn’t been tampered with. Digitally signing code for firmware, device drivers, applications, operating systems, or mobile applications is a proven and effective method for protecting software. It improves the security of the software supply chain by protecting the code integrity at each step.
In an effort to speed up the build and deployment stages of CI/CD workflows, DevOps teams may take certain shortcuts. To avoid lengthy certificate request processes, developers may be tempted to issue certificates signed by an untrusted source or stored insecurely. These manual, insecure cryptographic practices may be fast, but they are hardly secure and can expose organizations to a high level of risk that is clearly best avoided.
Code signing, and the certificates used in that process, should be centralized and automated using cryptographic hardware. The good news here is that hardened code signing, when managed in conjunction with a FIPS 140-2 Level 3 validated HSM, can be a straightforward four-step process:
The use of a KMS brings a range of other benefits that align with the fastsecure vision. For instance, an advanced KMS can help automate the entire code-signing and certificate management life cycle, remove workflow bottlenecks, and natively integrate with CI/CD systems. Less time generating and managing digital certificates equals faster code deployments—all without sacrificing security.
Making this happen is fast and easy for Venafi customers. That’s because Futurex’s HSMs, KMES Series 3 and Vectera Plus, are fully integrated with Venafi’s Trust Protection Platform (TPP). This integration enables security teams to define X.509 certificate profiles to fit the entire breadth of enterprise needs from mobile devices to ephemeral DevOps containers. And InfoSec and DevOps teams can use Futurex with the Venafi ecosystem from application servers to Application Delivery Controllers (ADC) to secure DevOps processes from initial code-signing through to delivery.
According to a study conducted by Venafi, code signing keys are high-commodity items for cybersecurity hackers to enable security incidents. Venafi offers up these security best practices:
Code signing done right does increase the amount of digital signing that needs to occur; therefore, it is imperative that there are solutions—such as the one provided by Futurex’s HSMs and Venafi’s CodeSign Protect—that simplify how developers access private code signing keys while also creating a secure process that protects these valuable security assets from hackers.
We’re excited to be working with Venafi to bring the fastsecure vision to life and help our mutual customers securely and safely accelerate innovation.