Best Practices 11-26-2020

Simplify Code Signing Around the Holidays and Always

Dave Roche

Code signing is a critical part of your DevOps process to ensure that code cannot be tampered with. During the holidays, typically there are fewer people in the office and most are busier, so automation and extra security are even more important to simplify workflows. Additionally, with a remote working environment, having a flexible solution that does require keys stored on FIPS-compliant devices and other hardware can simplify code signing.

Using a code-signing-as-a-service solution can help simplify getting code signed, make it quicker and easier to keep code secure and free up your team’s bandwidth. This holiday season, code-signing-as-a-service may just be the best gift for your software engineering team, and the benefits will last long past the new year.

Challenges of traditional code signing

Traditionally, code signing often involves storing keys on desktops, key sharing and no visibility over signing activities. If not managed carefully, this traditional code signing can lead to misuse and even malware signing. Mismanagement of key storage and key sharing can be overlooked or difficult to trace if you are not tracking all of your code signing activities. Furthermore, unsigned code or exposed private keys can be detrimental to your reputation and cause significant financial loss.

Studies show that over half of IT security professionals are worried about cybercriminals stealing or forging certificates to sign code or applications, yet less than a third consistently enforce code signing policies. Additionally, in September 2020, the U.S. Department of Justice charged two Malaysians and five Chinese hackers with hacking over 100 U.S. companies. The attackers were charged with the theft of source code, code signing certificates and even customer and business data. Code signing has a significant threat environment and can be a large stressor for your software engineering team.

Furthermore, during the holiday season there is a risk of needing an emergency push of new code while working remote. With traditional code signing, this can be difficult to pull off. But with a code signing management system a developer could safely be granted access to needed signing keys during the holidays.

Hackers don’t rest during the holidays. But your IT team still deserves a holiday break. To protect your code and still give your DevOps team more time this holiday season (and always), consider a code-signing-as-a-service solution.

Gift of more time

First, a code-signing-as-a-service solution can give your developers the best gift of all this holiday season: time. Find a code signing solution that will require easy management and automation. You cannot delay development processes waiting on code signing. With a code-signing-as-a-service solution, your team can manage code signing quicker, even with a smaller or remote-working staff, easily fitting within your development workflows. A code signing manager offers automated signing using built in API integration and you can pre-plan and approve signature windows for secure releases and updates.

Gift of security

Not only does a code signing manager help give back time, it also makes your code more secure to give you more peace of mind. A code signing manager or solution gives you visibility and insight over any red flags to simplify checking for potential problems. Thus, if a problem does surface you can respond quickly and efficiently to maintain security. Additionally, a code signing manager helps you comply with code signing requirements at minimal cost. Admins can control permission-based access, with visibility into who is allowed to sign with what signing private keys and certificates. This can enforce accountability over signing users and activities and prevent code signing keys from being shared.

Reduce the risk of key theft and misuse, eliminate the need for your own HSM and have peace of mind during the holidays with a code signing manager. DigiCert has developed DigiCert® Software Trust Manager, a modern solution for code signing that integrates into Continuous Integration/Continuous Delivery (CI/CD) processes and allows you to monitor everything in one dashboard.

About DigiCert Software Trust Manager

DigiCert Software Trust Manager is a modern way of managing code signing by enabling automated security across Continuous Integration/Continuous Delivery (CI/CD) pipelines with portable, flexible deployment models and secure key management.

Sign code binaries rapidly, easily, and at scale with Secure Software Manager. Additionally, keys are generated in the cloud, so when not in use they are in offline mode to ensure that they do not get shared, lost or stolen.

DigiCert Software Trust Manager supports all major file types, including:

Using DigiCert Software Trust Manager, enterprises integrate code into their product development processes easily while delegating cryptographic operations, signing activities and management in a controlled, auditable way. With tracking, reporting and audit trails for forensics and accountability, Secure Software Manager enables enterprise to comply with corporate and industry security policies.

DigiCert Software Trust Manager, built on DigiCert ONE™

DigiCert Software Trust Manager is built on DigiCert ONE, the most modern PKI management platform on the market. DigiCert ONE was developed with cloud-native architecture and technology as the PKI infrastructure service for today's security challenges.

Released in 2020, DigiCert ONE offers multiple management solutions and is designed for all PKI use cases. Its flexibility allows it to be deployed on-premises, in-country or in the cloud to meet stringent requirements, custom integrations and airgap needs. It also deploys extremely high volumes of certificates quickly using robust and highly scalable infrastructure. DigiCert ONE delivers end-to-end centralized user and device certificate management, a modern approach to PKI to provide trust across Kubernetes clusters and dynamic IT architectures.

For more information on DigiCert Software Trust Manager, visit digicert.com/software-trust-manager.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-27-2024

6 actionable ways to secure the IIoT at every stage

Tracking the progress toward post-quantum cryptography

The state of PQC since the publication of FIPS 203, 204 and 205