Venafi CodeSign Protect is an add-on to the Venafi Trust Protection Platform. It extends your organization’s machine identity management to include code signing. Venafi CodeSign Protect secures your code signing private keys, automates approval workflows, and maintains an irrefutable record of all code signing activities.
Chances are, code signing may be unfamiliar to you, but nevertheless it is a critical machine identity that must be protected. Did you know that hackers are actively targeting corporate code signing certs and keys in major companies around the world and using vulnerabilities to add malware?Read About It
You're responsible for information security in your organization, but may not have complete visibility into all code signing activities that occur by your development teams. Worse yet, you may know that good code signing policies aren't being followed because they can't be enforced.Learn More
It's obvious that software that your company delivers to customers needs to be code signed. But did you know that industry best practice says that code your organization relies on for critical business functions should be signed too? Think: PowerShell scripts, database software, and other used for critical business infrastructure.Learn More
Even if you're using Trust Protect Platform to manage code signing certificates, CodeSign Protect offers these features that make code signing more secure for you, and easier and faster for your developers.
Developers never need direct access to private code signing keys which remain in a secure location.
One of the biggest risks is when developers store code signing keys in insecure locations because it is convenient to them. With CodeSign Protect, the keys always remain in a secure location: either the TPP trusted vault or a connected HSM.
Self-service simplifies code signing for your developers and keeps performance high.
Developers no longer have to worry about where a private key is stored, how to access it, understand the certificate lifecycle management process, or even learn a new tool. Venafi CodeSign Protect integrates directly with the code signing tools and build automation tools that they use today. No need to change build scripts or even workflows.
Easily integrate into build pipelines without slowing down developers
Automates code signing certificate lifecycle
No need to know where code signing private key is stored or how to access it
Rich API available for automation
Automate fulfillment of code signing certificate requests or renewals
Code signing performance is high and doesn't slow down their release process
Securely storing private keys isn't enough. Define and automate a secure code signing process.
The NIST whitepaper: "Security Considerations for Code Signing" explains that storing code signing keys in a secure location is not adequate to protect them. Instead, you must enforce a process that controls access to those keys. This includes a clear approval process that specifies who is authorized to use the key, who needs to approve its use, what code signing tools may be used with the key, and other things like time it can be accessed or machine that may access it. Venafi CodeSign Protect allows your teams to:
Your organization is at risk if you don't have complete visibility into all code signing operations.
InfoSec organizations should maintain an irrefutable record of all code signing operations within their organization including the following information:
Without this visibility, your organization cannot gather the intelligence needed to ensure that you are within compliance or be able to spot trends that could indicate code signing risks.
Works with most development tools, CAs, and HSMs
The tools that your development teams use to develop software is diverse. CodeSign Protect leverages the vast ecosystem that Venafi has developed with its partners to ensure that, out of the box, CodeSign Protect will work with the ecosystem that your developers use including:
CodeSign Protect allows your developers to sign apps, scripts, source code, and more.
One of the biggest impediments to rolling out an enterprise-wide code signing self-service is that it doesn't support the tools that your developers use or the types of code that they need to sign.
Getting Started with CodeSign Protect
Getting Started with CodeSign Protect is simple. It's already installed as part of your Trust Protection Platform installation. Contact your Venafi account team for information on how to enable licensing for it.