Securing Your Code Shouldn’t Impede Your Innovation
The efficacy of code signing as an authentication mechanism for software depends on the integrity of code signing keys. Unfortunately, the ability to properly implement code signing and assure adequate protection of the private keys and certificates is growing more and more challenging in today’s world of increased virtualization, scaling and distribution.
Hardware Security Modules (HSMs) Aren’t Compatible with the Digital Era
Using dedicated HW across multiple sites creates silos, making centralized management and policy enforcement difficult
The manual set-up, admin & maintenance of dedicated HW conflicts with the short delivery cycles and automation needs of DevSecOps
Granular user-based auditing isn’t readily available even though many code signing activities are user and file-specific
HSMs don’t support the ability to grant authentication to a specific user using a specific build application
The ability to control keys in the public cloud is very limited, and synching keys across different CSPs is near impossible
Protect Your Software with
Software-Defined Code Signing
Unbound Key Control (UKC) code signing solution delivers hardware-level security without the hardware, making it an excellent fit for organizations with hybrid cloud environments and/or disparate development sites. This platform-agnostic solution has fully abstracted the hardware and can be deployed as a single, centralized code signing solution to cover development teams in disparate locations using any mix of environments (public cloud, private cloud, on premise). UKC is very easy to use and supports full automation of all operations including maintenance, set up and administration, seamlessly integrating with DevSecOps processes to ensure secure and rapid application delivery.
UKC includes advanced context-based auditing tools that give you the full details of every code signing operation, every time a key is used. Logs include: what type of operation, the date and time of the operation; the build servers from which the request was made; and the user that authorized the code signing operation. Audit logs can be viewed from the UKC console or exported to a third-party tool such as a SIEM.
Providing an additional security layer that is highly effective and easy to use, UKC integrates with organizational directories such as Active Directory and also supports SAML-based user/application authentication.
Any Code, Anywhere
Cover distributed teams using any mix of cloud/hybrid environments for code signing on multiple platforms
Seamlessly integrates with your DevSecOps processes to ensure secure and rapid application delivery
Fits any deployment size and complexity including huge development teams distributed globally
Supports full automation of all operations including maintenance, setup and administration
Seamless AD/IDaaS integration for user-based authentication and auditing on your code signing keys
How Does it Work?
Unbound Key Control enables secure management of cryptographic keys on any standard platform, including physical/virtual machines and containers.
A typical code signing process is started by calculating the hash of the code using algorithms like SHA-1 or SHA-2. Then, the build server initiates a certification request to Unbound accompanied with the application name, the hash and the public key, after which Unbound signs the hash with the private key using MPC protocol to access both key shares. The signed hash is then returned to the build server.
1. Create a hash of the code using an algorithm such as SHA-1 or SHA-2.
2. Certificate Request (Application Name & Version, Hash, Public Key).
3. Unbound signs with the private key on the hash.
4. Returning hash signed with the private key.
Unbound provides hybrid-cloud, multi-site support in a single system deployment, meeting the needs of organizations with large and/or disparate development teams across distributed environments.
A single Unbound Key Control cluster is used to manage all code signing certificates from one centralized system with a single pane of glass. All build servers and developer machines are connect to the cluster to consume code signing services.
Leveraging Code Signing Best Practices for Your Enterprise
While the need for code signing has grown, so has it's complexity. With the proliferation of software, as well as software operating IoT/network infrastructure hardware, the protection of code signing keys is critical. In this guide we discuss why enterprises need a central code signing key protection & key management platform, and best practices to implement secure code signing.
Code Signing Solution Brief
Companies that work with Code Signing are under a sophisticated cyber threat landscape that HSMs cannot sufficiently guard against. The Unbound Key Control (UKC) code signing solution delivers pure-software HSM-level security covering all development teams across your entire infrastructure.
Case Study: Enterprise Code Signing
In this case study we pose challenges facing a top tech company, including the large number of developers and global sites, a mix of on-premise and cloud-based development environments and how to tackle the problem of agility vs. scalability.
Best Practices for Implementing Secure Code Signing
Best practices for implementing secure code signing--explore new approaches for code signing, and review best practices. We’ll highlight some of the new challenges in protecting code signing private keys and certificates in today’s world of increased virtualization, scaling and distribution.