Keyfactor, provider of secure digital identity management solutions, announced a new integration with Thales that combines Keyfactor’s code signing platform with the high-assurance key protection of Thales’ SafeNet Cloud HSM On-Demand. The result of this partnership, Keyfactor Code Assure, delivers secure code signing to software vendors, mobile app developers, enterprise IT organizations, and manufacturers of IoT devices.
Keyfactor Code Assure stores all code signing certificates from disparate network locations (i.e. developer workstations, build servers, and thumb drives) in a centralized and secure HSM, Thales’ SafeNet Cloud HSM On-Demand. Once inside, the certificates never leave the vault.
Only developers with the right access can request code signage, where it is then signed and returned to the user. Access controls ensure that only developers with the right privileges can sign software and firmware during the time windows designated by the certificate owner.
“We’re seeing a rise in threats against code signing operations, like the recent ASUS hack where attackers exploited code to plant and deploy malware when businesses ran standard updates,” said Jordan Rackie, chief executive officer at Keyfactor. “These attacks erode the fabric of trust that consumers and business users alike place in software publishers and device manufacturers. This partnership and our highly integrated, hybrid approach uphold digital trust, making end-to-end protection against evolving code signing-based attacks simpler for innovative DevOps teams and software providers.”
Code signing certificates are used to digitally sign applications, drivers and software, allowing end users to verify the authenticity of the publisher. Cyber-attackers can forge and compromise vulnerable certificates and keys, often planting malware that detonates once a firmware or software update is installed on a user’s system.
Recent research pegs the cost of code signing certificate and key misuse at $15 million and estimates a 29 percent likelihood that organizations will experience code signing incidents over the next two years.
Keyfactor Code Assure has already been adopted by Fortune 500 leaders that value security and trust as utmost priority. This integration allows these organizations to defend their business and users against the rising threat of code signing hacks; get complete visibility and control of keys and certificates for security teams; and enables DevSecOps with simple and secure workflows for developers; deploy with zero disruption to existing SDLC or build processes.
It also supports secure code signing of virtually any code, anywhere – including Windows binaries, Java and IoT firmware; and empowers distributed development teams with a unique, patented technology to sign code from build servers and workstations – without the private keys ever leaving the auditable, protected confines of a Hardware Security Module (HSM).
“Complete protection and control of code signing keys is challenging for most businesses, especially as infrastructure and development teams are widespread across the globe,” said Ted Shorter, Chief Technology Officer and Co-founder at Keyfactor. “Faster release cycles and frequent code changes in DevOps environments leave security teams fighting to keep pace. Thales and Keyfactor designed Keyfactor Code Assure to empower innovators, enabling them to secure code signing at the speed of DevOps.”
“The Keyfactor platform has many applications for helping secure the Internet of Things, manufacturing, connected automobiles as well as code signing. The flexibility of these cloud solutions means customers can move their enterprise services to the cloud and get all the benefits of owning PKI while minimizing the risks,” said Todd Moore, senior vice president of encryption products at Thales.