IT service provider Fullstaq will develop an open-source plugin for Jenkins, the most commonly used DevOps tool, for Venafi Next-Gen Code Signing. The plugin makes it easy for engineers to build software without worrying about cybercriminals stealing or misusing code signing certificates. The beta version will be released in the summer of 2020 for Venafi customers.
The Next-Gen Code Signing solution from Venafi, the market leader in cybersecurity in Machine Identity Protection, is now more important than ever. Cybercriminals steal code signing certificates from software companies to sign malware and trick people into installing it. As of Q2 2018, over 22M instances of malware were signed with stolen or forged code signing credentials and that number has increased by almost 1M per quarter since then.
But, code signing credentials need not be stolen to be abused. In 2019, ASUS, the Taiwanese computer manufacturer, for example, fell victim to hackers finding critical code signing keys on their web update server. They added malware to legitimate ASUS updates, signed with ASUS’s code signing keys, infecting 1M ASUS computers.
The new plugin allows organizations to integrate Next-Gen Code Signing into the deployment process via Jenkins without custom development or one-off scripting. Currently, Next-Gen Code Signing is only available through the Venafi platform.
Next-Gen Code Signing provides a DevOps friendly, easy to use, fast, and scalable solution for organizations to keep their critical code signing process secure, without changing developer workflows or tools.
Fullstaq will develop the Jenkins plugin in close collaboration with the Venafi product team according to the Scrum method. Within the project, the APIs of the Next-Gen Code Signing solution will be perfected and the plugin developed. The end result is a production ready plugin for Jenkins.
Fullstaq architect Arnold van Wijnbergen about the collaboration: “In modern software development, the DevOps method has a solid foundation. We want to deploy our software to production environments faster, more often and in an automated manner. Venafi understands this like no other and therefore asked us to integrate the innovative Next-Gen Code Signing platform within Jenkins. We are honored to be able to use our knowledge for a reputable company such as Venafi. Fullstaq and Venafi, a great combination!"
Starting this summer, Venafi customers using Jenkins can integrate the beta version of the Next-Gen Code Signing plugin from Fullstaq into their continuous integration and continuous development (CI/CD) pipelines. Fullstaq and Venafi expect to launch the fully optimized version by the end of 2020.
“Engineering teams need the freedom to leverage the power of Jenkins throughout their build process,” explains Kevin Bocek, VP Ecosystem and Threat Intelligence at Venafi. “As part of the Machine Identity Protection Development Fund, Fullstaq is helping developers move at DevOps speed with Jenkins and Venafi Next-Gen Code Signing.”
Organizations protect software with the help of code signing. Code signing ensures that software receives a digital signature which guarantees the identity of the author and the integrity of the code. Code signing is used to protect every Windows, Mac OS X, iOS, and Android computing and is now used to secure containers, IoT software updates, and even software installed on to airplanes. However, hackers are now targeting the theft or misuse of code signing keys so they can use them to sign their malware.
As organizations increase the frequency of code releases, developers are often responsible for signing their own code. Security policies are not always followed due to a lack of time or because developers don’t understand the severity of the problem. Personal encryption keys and digital certificates are then stored on different servers, on personal laptops or desktops, somewhere in the cloud and other locations. In other words: an inscrutable and unsafe labyrinth of encryption keys, often referred to as key sprawl. Venafi Next-Gen Code Signing solves this problem.