Skip to main content
banner image
venafi logo

Fullstaq and Venafi Safeguard DevOps Build Pipelines with Jenkins Plugin for Next-Gen Code Signing

Fullstaq and Venafi Safeguard DevOps Build Pipelines with Jenkins Plugin for Next-Gen Code Signing

graphic of a young man sitting on a very large laptop while coding on a smaller laptop on his lap, against a purple background
May 5, 2020 | Gerrit Tamboer, Managing Director at Fullstaq in The Netherlands


IT service provider Fullstaq will develop an open-source plugin for Jenkins, the most commonly used DevOps tool, for Venafi Next-Gen Code Signing. The plugin makes it easy for engineers to build software without worrying about cybercriminals stealing or misusing code signing certificates. The beta version will be released in the summer of 2020 for Venafi customers.


 

Hackers easily steal powerful code signing machine identities

The Next-Gen Code Signing solution from Venafi, the market leader in cybersecurity in Machine Identity Protection, is now more important than ever. Cybercriminals steal code signing certificates from software companies to sign malware and trick people into installing it. As of Q2 2018, over 22M instances of malware were signed with stolen or forged code signing credentials and that number has increased by almost 1M per quarter since then.

But, code signing credentials need not be stolen to be abused. In 2019, ASUS, the Taiwanese computer manufacturer, for example, fell victim to hackers finding critical code signing keys on their web update server. They added malware to legitimate ASUS updates, signed with ASUS’s code signing keys, infecting 1M ASUS computers.
 

New Jenkins plugin for Venafi Next-Gen Code Signing

The new plugin allows organizations to integrate Next-Gen Code Signing into the deployment process via Jenkins without custom development or one-off scripting. Currently, Next-Gen Code Signing is only available through the Venafi platform.

Next-Gen Code Signing provides a DevOps friendly, easy to use, fast, and scalable solution for organizations to keep their critical code signing process secure, without changing developer workflows or tools.
 

Intensive collaboration between Fullstaq and Venafi

Fullstaq will develop the Jenkins plugin in close collaboration with the Venafi product team according to the Scrum method. Within the project, the APIs of the Next-Gen Code Signing solution will be perfected and the plugin developed. The end result is a production ready plugin for Jenkins.

Fullstaq architect Arnold van Wijnbergen about the collaboration: “In modern software development, the DevOps method has a solid foundation. We want to deploy our software to production environments faster, more often and in an automated manner. Venafi understands this like no other and therefore asked us to integrate the innovative Next-Gen Code Signing platform within Jenkins. We are honored to be able to use our knowledge for a reputable company such as Venafi. Fullstaq and Venafi, a great combination!"
 

Beta version available in the summer of 2020

Starting this summer, Venafi customers using Jenkins can integrate the beta version of the Next-Gen Code Signing plugin from Fullstaq into their continuous integration and continuous development (CI/CD) pipelines. Fullstaq and Venafi expect to launch the fully optimized version by the end of 2020.

“Engineering teams need the freedom to leverage the power of Jenkins throughout their build process,” explains Kevin Bocek, VP Ecosystem and Threat Intelligence at Venafi. “As part of the Machine Identity Protection Development Fund, Fullstaq is helping developers move at DevOps speed with Jenkins and Venafi Next-Gen Code Signing.”
 

Secured code signing more important than ever

Organizations protect software with the help of code signing. Code signing ensures that software receives a digital signature which guarantees the identity of the author and the integrity of the code. Code signing is used to protect every Windows, Mac OS X, iOS, and Android computing and is now used to secure containers, IoT software updates, and even software installed on to airplanes. However, hackers are now targeting the theft or misuse of code signing keys so they can use them to sign their malware.

As organizations increase the frequency of code releases, developers are often responsible for signing their own code. Security policies are not always followed due to a lack of time or because developers don’t understand the severity of the problem. Personal encryption keys and digital certificates are then stored on different servers, on personal laptops or desktops, somewhere in the cloud and other locations. In other words: an inscrutable and unsafe labyrinth of encryption keys, often referred to as key sprawl. Venafi Next-Gen Code Signing solves this problem.



 

Related posts

Like this blog? We think you will love this.
image of three people seated behind a contemporary conference table in a glass meeting room
Featured Blog

How ‘Chaos Engineering’ and ‘Security Differently’ Improve DevOps [Interview with Aaron Rinehart]

Helen: What was the trigger that made you devel

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Gerrit Tamboer, Managing Director at Fullstaq in The Netherlands
Gerrit Tamboer, Managing Director at Fullstaq in The Netherlands

Gerrit Tamboer is a Founding Partner at Fullstaq and now serves as its Managing Director in The Netherlands. A broadly experienced Linux engineer with a strong affinity for Open Source software and standards, he specializes in software integration, middleware solutions and MySQL. His expertise lies in working between the software development and system engineering layers, and is passionate about sharing his knowledge with the Open Source and DevOps communities.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat