Did you ever see the movie “The Secret Life of Pets”? The premise of the movie is that you’re never really quite sure what is going on in your house when you leave your pets for the day. And more likely than not, this secret life leads to lots of adventure…and trouble.
Well, if you’re a part of your company’s PKI team, have you ever stopped to wonder what secret lives code signing keys and certificates might be leading with your DevOps teams? Code signing certificates are just one type of machine identity that DevOps may be using and producing.
Here’s something most organizations don’t realize. DevOps teams may be producing more machine identities than the rest of the organization combined. Yet, many PKI teams don’t think about including DevOps test certificates, and even production certificates, in the portfolio of machine identities that they need to manage and protect. By acknowledging these machine identities, PKI teams would essentially have to double or triple their machine identity protection efforts. But most are just not thinking about the exposure of the vast number of unmanaged and unprotected machine identities that DevOps teams are generating.
One question I like to ask to get executives thinking about the true number of certificates in use across their organization is, "Did you talk to your DevOps people?" That definitely makes PKI folks stop and think, but occasionally they respond with, "Well, why would I want to talk to them? They don't use certificates." Most do not consider code signing to be an element of their machine identity protection. And consequently, they are not actively monitoring code signing certificates within their organization.
Some PKI professionals are not even aware that their DevOps teams are signing code, let alone why it should be protected. One even asked me, "Why would you sign code?" The answer is simple. If code signing is not carefully controlled, attackers can insert malicious code into the applications and misuse applications to achieve nefarious purposes. Attackers are extremely clever, and the code they use may even be signed by an entity similar to or exactly the same as your own certificate authority (CA). So, it will be difficult to detect. And you won’t know which machine identities are being used where.
My advice to these organizations is this: You really need to know who's signing what. When those certificates expire, how do you fix it? Because those developers probably won't even be there anymore, or they won't remember. They are dealing with hundreds of these things a week.
As more and more organizations turn to DevOps to speed productivity and time to market, the machine identity problem will only increase in scope. My recommendation is to get a handle on it now before it becomes even more unwieldy. Implementing machine identity visibility, intelligence and automation, especially around code signing, today will not only protect your current and applications, it will prepare you to protect future applications that we haven’t even dreamed of yet.
What secret life does code signing credentials have within your DevOps teams?
What is Code Signing? Venafi Chalk talk lays it out.