Skip to main content
banner image
venafi logo

The Secret Life of Code Signing in DevOps

The Secret Life of Code Signing in DevOps

The words "Top Secret" typed out on white paper by a typewriter
September 18, 2019 | Eddie Glenn

Did you ever see the movie “The Secret Life of Pets”?  The premise of the movie is that you’re never really quite sure what is going on in your house when you leave your pets for the day.  And more likely than not, this secret life leads to lots of adventure…and trouble.

Well, if you’re a part of your company’s PKI team, have you ever stopped to wonder what secret lives code signing keys and certificates might be leading with your DevOps teams?  Code signing certificates are just one type of machine identity that DevOps may be using and producing.

"DevOps teams may produce more machine identities than the rest of the organization combined"

Here’s something most organizations don’t realize. DevOps teams may be producing more machine identities than the rest of the organization combined. Yet, many PKI teams don’t think about including DevOps test certificates, and even production certificates, in the portfolio of machine identities that they need to manage and protect. By acknowledging these machine identities, PKI teams would essentially have to double or triple their machine identity protection efforts. But most are just not thinking about the exposure of the vast number of unmanaged and unprotected machine identities that DevOps teams are generating.




Most do not consider code signing to be an element of their machine identity management.

One question I like to ask to get executives thinking about the true number of certificates in use across their organization is, "Did you talk to your DevOps people?" That definitely makes PKI folks stop and think, but occasionally they respond with, "Well, why would I want to talk to them? They don't use certificates." Most do not consider code signing to be an element of their machine identity management. And consequently, they are not actively monitoring code signing certificates within their organization.

"Why would you sign code?"

Some PKI professionals are not even aware that their DevOps teams are signing code, let alone why it should be protected. One even asked me, "Why would you sign code?" The answer is simple. If code signing is not carefully controlled, attackers can insert malicious code into the applications and misuse applications to achieve nefarious purposes. Attackers are extremely clever, and the code they use may even be signed by an entity similar to or exactly the same as your own certificate authority (CA). So, it will be difficult to detect. And you won’t know which machine identities are being used where.

My advice to these organizations is this: You really need to know who's signing what. When those certificates expire, how do you fix it? Because those developers probably won't even be there anymore, or they won't remember. They are dealing with hundreds of these things a week.

What is Code Signing? [Your In-Depth Guide]


Get a handle on it: now

As more and more organizations turn to DevOps to speed productivity and time to market, the machine identity problem will only increase in scope. My recommendation is to get a handle on it now before it becomes even more unwieldy. Implementing machine identity visibility, intelligence and automation, especially around code signing, today will not only protect your current and applications, it will prepare you to protect future applications that we haven’t even dreamed of yet.


What secret life does code signing credentials have within your DevOps teams?

What is Code Signing? Venafi Chalk talk lays it out.





Related posts


Like this blog? We think you will love this.
Featured Blog

What Is the Difference Between a Public Key and a Private Key?

Symmetric and asymmetric encryption

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Eddie Glenn
Eddie Glenn

Eddie is the Product Marketing Manager over Code Signing at Venafi. A product marketing professional in SaaS, Enterprise, and Embedded Software, he has a strong technical background and experience with inbound and outbound marketing, business and marketing strategy, and marketing operations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more