Securing the Code Signing Process

PARTNER BRIEF

// Securing the Code Signing Process Venafi CodeSign Protect and Thales Data Protection on Demand or Luna HSMs

The first step in protecting code signing is to store Securing the private keys in a hardware security module (HSM), Code Signing Process such as Thales’ on-premises Luna HSM or cloud- based Data Protection On Demand service (DPoD). These secure, FIPS 140-2 Level 3 compliant solutions maintain Root of Trust (RoT) private key protection. Together, Venafi and Thales enable InfoSec teams Even though keys are securely stored in an HSM, to secure both their code signing keys and the cybercriminals have learned to exploit other aspects code signing process where access to private keys of the code signing process, which makes it critical to is vulnerable. do more than just secure your private keys. Solution Benefits • Secure your code signing keys with Secured Key Storage. Secured Code Signing Process. Thales HSMs Venafi CodeSign Protect and Thales HSMs (DPoD • Protect your code signing process with and Luna) in the cloud, on-premises or as a hybrid Venafi CodeSign Protect solution deliver a seamless integration that not only • Provide an easy-to-use, automated secures private code signing keys but also secures solution for your developers with this combined offering the process by enforcing industry-accepted best practices. Together, these solutions secure the storage of private code signing keys, automate code signing With the development of software for internal and policy enforcement, manage the full lifecycle of code external distribution, most companies are now in the signing certificates, separate code signing roles and software business. Code signing is a critical security responsibilities and provide a full audit trail of code control that helps businesses and their customers signing activities. know software can be trusted. Even though code Focusing on the Needs of signing has protected businesses and consumers for Software Development Teams decades, there has been an increase in cybercriminals stealing, forging or leveraging vulnerabilities in Software development teams frequently do not the code signing process. This increases the risk have PKI expertise, even though they are often the that critical internal software infrastructure is ones responsible for code signing. This can create a compromised by hackers or the reputation of a vulnerability if they make wrong choices around their business is damaged when malware is inserted by a code signing process. third party into their software products.

1 Even if their company’s security team provides centralized How It Works code signing services, development teams may circumvent Venafi CodeSign Protect automates the full this because they are cumbersome to use, usually certificate lifecycle in addition to enforcing and aren’t automated or simply take too long to perform. automating a secure code signing process. Software To address this, it is important for InfoSec teams to developers continue to use the code signing tools provide a code signing service that focuses on the that they have always used. Private code signing needs of their software development teams. This keys always remain protected within the Thales requires a service that: DPoD and Luna HSMs. Access to these keys is controlled by the code signing process • Can be easily scripted and doesn’t require enforcement policies that have been defined developers to change their build process at all in the Venafi Platform. • Seamlessly integrates with their existing tools and software processes, including DevOps, Continuous Integration and Continuous Delivery

• Does not slow down software builds

Policy Automation and Enforcement Deﬁne and enforce high-level Visibility code signing policies Access to an irrefutable record of all corporate Automation Intelligence code signing activities and Code signing certiﬁcate Spot trends that indicate risks PKI/InfoSec Admin Audit and Compliance proof of compliance lifecycle management

Secured Thales SafeNet Code signing Data Protection One or More Venaﬁ Platform with private keys on Demand HSM Code Signing Approvers CodeSign Protect -OR-

Software Thales SafeNet HSM Development Team -OR-

Software Person(s) Tasked Automated Build Project Owner with Signing Code Script or Platform that Signs Code Enforcement Define project-specific code signing policies Transparent Code Signing No impact to developers Automation or build scripts Heterogeneous Automated certificate Development environments, lifecycle management and self-service including cloud Email Systems

Venafi CodeSign Protect mobile, virtual, cloud and IoT—at machine speed and scale. Venafi automates the entire key and Venafi CodeSign Protect is built on top of the certificate lifecycle, as well as remediation, to reduce Venafi Platform, which protects machine identities or eliminate security and availability risks connected by orchestrating cryptographic keys and digital with weak certificates (such as SHA-1, MD5 or wildcard certificates for SSL/TLS, IoT, mobile, code signing certificates) or compromised machine identities. and SSH for the extended enterprise—on-premises,

2 Thales HSM Solutions – DPoD and Luna • Provide a code signing-as-a-service solution that software developers will want to use Thales offers two solutions that maintain RoT private key protection for Venafi. Thales’ SafeNet Learn more about how your InfoSec team can family of HSMs, either SafeNet Data Protection combine Venafi CodeSign Protect and Thales HSMs On Demand or SafeNet Luna HSMs, provides to secure code signing for your business. With Venafi companies FIPS 140-2 Level 3 compliance with and Thales, you can ensure the integrity of your code, the option of maintaining RoT protection and safeguard your customers and protect the reputation management of encryption keys across cloud- of your business—all with an easy-to-use solution for based, hybrid/multicloud, on-premises or a mixture your developers. of deployments. This flexibility makes it easier to deploy a solution to address ever-changing compliance mandates and budgetary requirements.

• DPoD HSM service is a cloud-based HSM service that offers key management capabilities that can About Thales be deployed within minutes with no need for specialized hardware or associated skills. This The people you rely on to protect your privacy subscription-based HSM solution utilizes Thales’ rely on Thales to protect their data. When it cloud-first strategy to offer secure storage of keys in comes to data security, organizations are faced the cloud while maintaining strict access controls so with an increasing amount of decisive moments. that only the customer has access to their keys. Whether the moment is building an encryption strategy, moving to the cloud, or meeting • Luna HSMs store, protect and manage sensitive compliance mandates, you can rely on Thales to cryptographic keys in a tamper-resistant on- secure your digital transformation. premises HSM, providing high-assurance key protection within an organization’s own IT Decisive technology for decisive moments.. infrastructure. About Venafi In addition, you can extend your HSM investment by leveraging your Thales HSMs to address other Venafi is the cybersecurity market leader in use cases, including PKI, TLS/SSL, document signing, machine identity protection, securing the Transparent Data Encryption and Blockchain, as cryptographic keys and digital certificates well as migration to the cloud and support for on which every business and government hybrid environments. depends to deliver safe machine-to-machine communication. Organizations use Venafi Together, We Can Help key and certificate security to protect communications, commerce, critical systems The Venafi CodeSign Protect and DPoD or Luna HSMs and data, and mobile and user access. work together to secure the storage of your code signing keys and secure your code signing process: To learn more, visit venafi.com

• Automate the code signing certificate lifecycle and eliminate the need for software teams to manage this themselves

• Secure code signing activities through policy and workflow enforcement

• Provide an audit trail of all code signing activities

• Protect your private keys and certificates with Thales HSM RoT protection