The natural next step for every enterprise in their cloud migration is to evolve to a Cloud Native experience that fully leverages the innovation that was born in the cloud. To maximize cloud benefits like cost, speed and agility, most businesses are choosing a platform-based service that can support modern CI/CD processes. GitLab is a leading player in this space and is recognized by Gartner as a serious player in the CI/CD and Application Release Orchestration market. GitLab CI/CD helps customers to speed delivery and agility by fully embracing containerization and maximizing the profits of a cloud platform.
When migrating to the cloud, many organizations make the mistake of thinking that cloud security is fully arranged by the cloud provider. But that is not the case, only basic security is built into the cloud platform and the rest is left up to the enterprise. Based on this shared responsibility, enterprise teams are still responsible for the security of instances that are running in the cloud. The result is that after their cloud migration, many enterprise teams still have to retrofit security controls into their software development pipelines.
To address this challenge, many organizations look to solution providers such as Netherlands-based Fullstaq, who are specialists in the field of Open Source, DevOps, Cloud Native and high-traffic web hosting. After a previous successful offering with Venafi, Fullstaq are returning for a second round of sponsorship from the Machine Identity Management Development Fund. In this continuing interview series with developers, I have the pleasure of speaking again with Arnold van Wijnbergen, Cloud Native Architect at Fullstaq. He’ll answer questions about the newest code signing integration with GitLab.
APT41 Perfects Code Signing Abuse to Escalate Supply Chain Attacks
Great to have you back again in the Development Fund! Tell us about the GitLab and Code Signing project and why it was important to address.
Arnold: We are very happy to be working with Venafi again! This second Development Fund project seeks to make Venafi CodeSign Protect a closely integrated service in the Cloud Native market with containers. This integration will enable DevOps to go fast with GitLab CI/CD and furthermore transform developers into more solid DevSecOps teams. The integration will be configured by default for security teams to protect code signing machine identities and delivers the visibility, intelligence, control, and automation that modern security teams demand.
There are a number of challenges we saw in this space that needed to be solved. To start, enterprises are exposed to new levels of compliance risk due to manual quality controls that lack automated integrations with software development pipelines, such as GitLab CI/CD. Especially in Cloud Native environments, good security is a must. Security teams also lack visibility and control because they are often left out of architecting, control, and operations of build pipelines.
Next, code signing processes themselves are not automated and don’t properly enforce enterprise policies throughout the pipeline. Plus, code signing approvals are not part of the pipeline and impact productivity of the development teams, diverting them from their primary focus: developing software.
Finally, without the proper controls, private keys can be scattered around many different insecure places. And when these keys aren’t managed well, it can increase the possibility of machine identity loss.
Why is code signing often over-looked by developers?
Arnold: DevOps teams are using more and more containers to execute their job-specific workloads in Cloud Native environments. Containers are great for workload isolation and GitLab delivers a modern CI/CD platform to do just that. Most of the time these job-specific containers that drive the software development pipeline are built by the developer. Increasingly, many of these pipelines incorporate code signing. However, many developers lack security expertise in code signing and machine identities. This can lead to insecure pipelines which are custom scripted, using certificates from outside of security team oversight and aren’t built with security in mind.
For a developer, code signing is just another build step, but they are often so focused that they forget about the controls that are important to security teams. Security controls are there to assure that no risks are introduced, especially the malicious use of the code signing keys. In most cases, all the time-consuming security effort is not aligned with their primary software product outcome.
Why focus on GitLab and how does it impact Venafi customers?
Arnold: GitLab CI/CD is the developer’s favorite choice for implementing a software development pipeline in Cloud Native environments. Even when used with Venafi CodeSign Protect, development teams may sometimes still depend on custom scripts to integrate their pipelines, which can lead to bugs and hassle. Also, basic security simply isn’t sufficient enough for Cloud Native environments. The developer is still responsible for implementing security measures into the pipeline. For example, certificates and code signing keys should still be stored securely. Without the proper security controls, GitLab can be an easy target for hackers and the most interesting place to find machine identities. Unfortunately, many security teams lack the skills or know how to help minimize these DevOps risks.
Standardizing containers is a tremendous opportunity to help DevOps and security teams keep code signing fast, safe, and secure with Venafi CodeSign Protect. This integration will be great for Venafi customers since these stakeholders will enjoy the following outcomes from the integration:
- Security teams have improved visibility and control with less effort and more automation.
- Development teams have improved productivity and focus on creating software.
- Product teams have less compliance overhead due to improved quality and increased Intelligence delivered by the Venafi platform.
- Risk teams have improved governance and greater control over the assurance and enforcement of enterprise policies for risk compliance.
- Business owners have lower costs than with manual coding and happier customers due to faster product development.
The Gitlab integration developed by Fullstaq is targeted for availability in Q1 2021. You can learn more from the Venafi Marketplace. And stay tuned for future interviews with Machine Identity Management Development Fund recipients.
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.
Why Do You Need a Control Plane for Machine Identities?
Related posts
- Why Sign Code? [Hint: Prevent Access to Unauthorized Software]
- Supply Chain Attack Targets Mimecast Digital Certificates
- Supply Chain Attack on IT Tool Uses Code Signing to Breach US Treasury, FireEye, Others
- DevOps and the Proliferation of Secrets
Learn more about machine identity management.