SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Keyfactor and Thales announce integration to fight code signing cyber-attacks
Tue, 18th Jun 2019
FYI, this story is more than a year old

Digital identity management solutions provider Keyfactor has announced a new integration with Thales that combines Keyfactor's code signing platform with key protection of Thales' SafeNet Cloud HSM On-Demand.

The result of this partnership, Keyfactor Code Assure, aims to deliver secure code signing to software vendors, mobile app developers, enterprise IT organisations, and manufacturers of IoT devices.

“We're seeing a rise in threats against code signing operations, like the recent ASUS hack where attackers exploited code to plant and deploy malware when businesses ran standard updates,” says Keyfactor chief executive officer Jordan Rackie.

“These attacks erode the fabric of trust that consumers and business users alike place in software publishers and device manufacturers. This partnership and our integrated, hybrid approach uphold digital trust, making end-to-end protection against evolving code signing-based attacks simpler for DevOps teams and software providers.

Code signing certificates are used to digitally sign applications, drivers and software, allowing end-users to verify the authenticity of the publisher.

Cyber-attackers can forge and compromise vulnerable certificates and keys, often planting malware that detonates once a firmware or software update is installed on a user's system.

Recent research pegs the cost of code signing certificate and key misuse at $15 million and estimates a 29% likelihood that organisations will experience codesigning incidents over the next two years.

“Complete protection and control of code signing keys are challenging for most businesses, especially as infrastructure and development teams are widespread across the globe,” says Keyfactor chief technology officer and co-founder Ted Shorter.

“Faster release cycles and frequent code changes in DevOps environments leave security teams fighting to keep pace.

“Thales and Keyfactor designed Keyfactor Code Assure to empower innovators, enabling them to secure code signing at the speed of DevOps.

Keyfactor Code Assure stores all code signing certificates from disparate network locations (i.e. developer workstations, build servers, and thumb drives) in a centralised and secure HSM, Thales' SafeNet Cloud HSM On-Demand.

Once inside, the certificates never leave the vault.

Only developers with the right access can request code signage, where it is then signed and returned to the user.

Access controls ensure that only developers with the right privileges can sign software and firmware during the time windows designated by the certificate owner.

“The Keyfactor platform has many applications for helping secure the Internet of Things, manufacturing, connected automobiles as well as code signing,” says Thales encryption products senior vice president Todd Moore.

“The flexibility of these cloud solutions means customers can move their enterprise services to the cloud and get all the benefits of owning PKI while minimising the risks.

Gartner Inc recommends companies “leverage code repositories by enabling signing and time stamping code when it's checked in to build up a history over time that can inform specific secure coding behaviours.

Keyfactor Code Assure allows organisations to:

  • Defend their business and users against the rising threat of code signing hacks
  • Get complete visibility and control of keys and certificates for security teams
  • Enable DevSecOps with simple and secure workflows for developers
  • Deploy with zero disruption to existing SDLC or build processes
  • Support secure code signing of virtually any code, anywhere – including Windows binaries, Java, IoT firmware, and more
  • Empower distributed development teams with a unique, patented technology to sign code from build servers and workstations – without the private keys ever leaving the auditable, protected confines of a Hardware Security Module (HSM)