Skip to main content
banner image
venafi logo

The Secret Life of Code Signing in DevOps

The Secret Life of Code Signing in DevOps

The words "Top Secret" typed out on white paper by a typewriter
September 18, 2019 | Eddie Glenn

Did you ever see the movie “The Secret Life of Pets”?  The premise of the movie is that you’re never really quite sure what is going on in your house when you leave your pets for the day.  And more likely than not, this secret life leads to lots of adventure…and trouble.
 

Well, if you’re a part of your company’s PKI team, have you ever stopped to wonder what secret lives code signing keys and certificates might be leading with your DevOps teams?  Code signing certificates are just one type of machine identity that DevOps may be using and producing.



"DevOps teams may produce more machine identities than the rest of the organization combined"

Here’s something most organizations don’t realize. DevOps teams may be producing more machine identities than the rest of the organization combined. Yet, many PKI teams don’t think about including DevOps test certificates, and even production certificates, in the portfolio of machine identities that they need to manage and protect. By acknowledging these machine identities, PKI teams would essentially have to double or triple their machine identity protection efforts. But most are just not thinking about the exposure of the vast number of unmanaged and unprotected machine identities that DevOps teams are generating.
 

 

How can you improve your code signing process? Read the solution brief.
 

Most do not consider code signing to be an element of their machine identity protection.

One question I like to ask to get executives thinking about the true number of certificates in use across their organization is, "Did you talk to your DevOps people?" That definitely makes PKI folks stop and think, but occasionally they respond with, "Well, why would I want to talk to them? They don't use certificates." Most do not consider code signing to be an element of their machine identity protection. And consequently, they are not actively monitoring code signing certificates within their organization.
 

"Why would you sign code?"

Some PKI professionals are not even aware that their DevOps teams are signing code, let alone why it should be protected. One even asked me, "Why would you sign code?" The answer is simple. If code signing is not carefully controlled, attackers can insert malicious code into the applications and misuse applications to achieve nefarious purposes. Attackers are extremely clever, and the code they use may even be signed by an entity similar to or exactly the same as your own certificate authority (CA). So, it will be difficult to detect. And you won’t know which machine identities are being used where.


My advice to these organizations is this: You really need to know who's signing what. When those certificates expire, how do you fix it? Because those developers probably won't even be there anymore, or they won't remember. They are dealing with hundreds of these things a week.
 

What is Code Signing? [Your In-Depth Guide]
 

Get a handle on it: now

As more and more organizations turn to DevOps to speed productivity and time to market, the machine identity problem will only increase in scope. My recommendation is to get a handle on it now before it becomes even more unwieldy. Implementing machine identity visibility, intelligence and automation, especially around code signing, today will not only protect your current and applications, it will prepare you to protect future applications that we haven’t even dreamed of yet.



 

What secret life does code signing credentials have within your DevOps teams?


Learn more about Venafi Next Gen Code Signing


What is Code Signing? Venafi Chalk talk lays it out.

 

 

Related posts

 

Like this blog? We think you will love this.
young man hunched over a laptop in a long hall of computer servers
Featured Blog

Protecting Your Software Infrastructure in these Uncertain Times

Before I get into that, I wanted to share a (true) story that I recently read about.

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Eddie Glenn
Eddie Glenn

Eddie is the Product Marketing Manager over Code Signing at Venafi. A product marketing professional in SaaS, Enterprise, and Embedded Software, he has a strong technical background and experience with inbound and outbound marketing, business and marketing strategy, and marketing operations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat