The world has changed, and now developers are making the decisions on what software and tools to use to build applications and also what to use to protect the machine identities that secure those applications. It's incumbent upon the security teams now to build really strong relationships with the development community. Security has to be baked into the development process, because if you don't provide a mechanism for managing and protecting machine identities at the time of machine development, it can't get bolted on after the fact.
According to a recent Venafi study, most organizations are dangerously unclear as to which teams have the incentives and directives they need to do their vital work. Surprisingly, the survey results showed little or no alignment between security and development teams on which team should be responsible for improving security in the software build and distribution environments.
Venafi is working closely with the world’s best developers to help bridge the gap between InfoSec and DevOps teams. Here, I’d like to highlight an early contributor. Siggi Skulason was Venafi’s first Individual Developer—an Indie Dev—in the Development Fund. Hard at work, I finally got to catch up with Siggi to chat about his EdgeCA project.
Give us some background about you and your experience and what brought you to the Development Fund
Siggi: Hi! I've been a software developer for a long time, working remotely for decades on all kinds of projects for many clients worldwide - everything from embedded systems for counting salmon in fish farms to writing parts of the Hotmail system for Microsoft, to working on a Java VM running on many millions of TV set top boxes. Also, things like data quality projects for large chemical companies and information security for financial institutions. I’ve founded a few companies, including one of the first Internet Service Providers in Iceland. Over time though I started focusing on embedded systems and IoT, security, machine identities and edge computing and that’s the area which I’m most interested in.
I now live in Scotland and recently founded there a new company, EdgeSec Ltd, for my projects, developing open source solutions for edge computing security and machine identities. Those projects include EdgeCA, which is a Golang-based ephemeral certificate authority – and the project that brought me to Venafi.
I'm curious to know from an open source developer, what does machine identity management mean to you?
Siggi: Basically, machine identity management links in with everything having to do with security and IoT and embedded devices. In my work with all kinds of different embedded systems and IoT – as well as virtual devices and microservices, it became obvious how important authentication and machine identities are across the board. It just seems that whatever project I get involved in now, it boils down to people trying to solve the same issues having to do with machine identities, authentication and security.
Sounds like that was the challenge to solve for! Tell us how you envisioned your Machine Identity Management Development Fund project.
Siggi: I suppose at a high level, I was trying to create some software to provide machine identities and a really simple, lightweight CA solution that could be deployed on the Edge, be a part of the service mesh and then communicate back to the Venafi backend when appropriate. That way developers could quickly generate all the machine identities that are needed but be supported by Venafi and have all the policy information and all the overseeing capabilities that come with that. People are increasingly thinking about pushing some of the functionality further to the left. That was really the thing. So, that's why I came up with “EdgeCA”, where we can actually generate certificates locally in an Edge scenario.
It runs in a few different modes. It can run completely standalone in a self-signed mode generating certificates or we can have it bootstrapped by the Venafi backend, which provides it with the initial issuing certificate. It’s also possible to run in other modes such as a pass-through mode, where it proxies requests for the Venafi backend system, with some intelligent caching going on just to make things slightly faster at the Edge.
You have a second stage of your EdgeCA project that you are working on now. Tell us about adding GraphQL functionality.
Siggi: GraphQL is just a way of getting a subset of the available data in a structured way, where you can select what bits you need, rather than with REST, where you get quite a large amount of information. We can utilize this to provide certificates for developers working on frontend systems, where they can use their development environment to easily get the machine identities they need with just one line of code, along with other information which they require from the GraphQL server. So, the machine identities just become another piece of information available to them via the tools and methodologies they are used to. it's all about just making things easy for the developers, but secure for the InfoSec and commercial teams.
Some customers have really embraced open source software. Of course, large organizations want something enterprise, off the shelf, fully supported. Do you have any insight into that? Is that accurate or does it vary between maybe verticals or other groups?
Siggi: Yeah. I suppose that it varies somewhat between verticals. This has changed quite a bit in the last few years though, especially with cybersecurity solutions. People have realized that you should never create your own encryption algorithms and implementations and that security does not come from using proprietary solutions but rather from the opposite – using open source, peer reviewed solutions. Using open source also just makes all aspects of software development easier, faster and more secure so an increasing number of industries and vertical segments are becoming more open towards using open source.
In my work in finance a decade ago as the head of data quality for the savings banks in Iceland I saw this starting to happen, with lots of typical closed systems but an increased openness to embracing open source systems. This trend has then picked up and we see for instance with a modern fintech bank like Monzo in the UK that their stack is basically written using Go, Kubernetes and lots of open source elements.
As far as I see, almost every industry and every vertical is moving into a more open source-based future. Just look at the trend with new repositories on Github. Companies used to guard their own closed source software base carefully but with a faster moving world and more complicated security requirements when you really need that proper peer review and collaboration, it just makes sense to use open source.
Want to know more? You can get the EdgeCA in-memory CA by visiting today on the Venafi Marketplace.
This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.
- CNCF and Open-Source Machine Identities
- Linux Foundation Launches sigstore to Combat Open-Source Supply Chain Attacks
- Open-Source Community: CNCF Sandbox Accepts Cert-Manager
- Secure Software Delivery in the Age of IoT