Do we really have to choose between a Bugatti and a Volvo?
We are taught that life is about choices and sacrifice. Eat the celery or the cheesecake. Get good grades or have fun. Have a successful career or a family. When it comes to buying cars, choice and sacrifice couldn’t be clearer. Buy a car that is safe or buy a car that is fun (and just to be clear, I equate fast with fun).
In business, we often have to make choices and sacrifice one priority for another. Grow revenue more quickly or reduce costs. Add more product features or release a product sooner. These decisions can be tough. In addition, depending where you are in the organization, your priorities (choice and willingness to sacrifice) are likely to be very different from those of that department on the other floor.
When you look at the priorities of the product development organization and the InfoSec team, these differences couldn’t be any bigger. Development teams, under constant pressure from management, competition, are trying to get more products with more features out the door faster than ever. Their priorities and sacrifices are clear: go faster at the expense of security.
InfoSec is also under pressure, but pressure of a different sort. Cybercriminal activity is at an all-time high. Cybercriminals are becoming more creative and bolder. CISOs and InfoSec teams are losing their jobs when a security breach occurs. Their priorities and sacrifices are also clear: increase security, regardless of impact on the speed of the business.
Let’s dive in a little deeper and discuss how these competing priorities manifest themselves when it comes to code signing (don’t know what code signing is? Check out this great resource!). Code signing itself is a simple operation often performed by a free utility provided within a software development environment. However, it’s the process and people involved with code signing that can cause problems.
InfoSec is acutely aware of the risks around stolen or misused code signing keys. They know that this can potentially cause great damage to the organization. Too many recently publicized incidents have also alerted the C-Suite too. InfoSec’s response? Protect these keys at all costs. Establish rigorous processes. Require that their team handle all code signing activities. Move all keys into one central location, accessible only by them.
But this priority has a consequence on the development organization. What they deem to be heavy-handed processes and procedures are slowing them down. They can’t get product out the door as fast as they need to. So, what do they do? They start finding ways to circumvent the system. They obtain their own code signing certificates and keys, or they altogether skip signing code that probably should be signed.
What’s the consequence of this on the InfoSec team? Increased risks for the organization, including private key sprawl and lack of visibility into code signing.
What if you didn’t have to sacrifice speed for security or security for speed? What if you could have the safety of Volvo built into a Bugatti or the speed of a Bugatti built into a Volvo?
When Venafi launched its CodeSign Protect solution earlier this year, we were excited to provide a solution that offered both speed to development teams along with improved security for the InfoSec teams. And we didn’t stop there. We added in flexibility and scalability, something that today’s businesses also require.
Our solution is a hybrid approach to code signing. A part of the code signing operation occurs locally where the development teams are building their software, but the private code signing key used remains protected in a secure, centralized location.
Why is this faster for development teams? They continue to use the same code signing tools they have always used. There is no need to learn new tools or modify existing build automation. Code signing isn’t slowed down because the entire executable is being uploaded to a central server or being hand delivered on a USB stick across the building. Developers don’t have to manage their own certs or keys. Different code signing processes and workflows can be defined for different software projects and phases of the software lifecycle.
Why is this more secure for InfoSec teams? By providing an automated service that offers value to the development team without slowing them down, there is less likelihood that the development team will circumvent the system which will reduce private key sprawl. Resources previously assigned to supporting code signing can be freed up for other InfoSec priorities. Policy enforcement and process are automated ensuring that future audits are clean.
Venafi CodeSign Protect offers a win/win solution to both InfoSec teams and product development teams. There is no need to sacrifice one for the other. You can have that Bugatti/Volvo hybrid car after all.