NIST Security Considerations for Code Signing whitepaper specifies that it is crucial for organizations to segregate code signing responsibilities within different parts of the organization. In addition, it specifies that code signing policy for internal development systems should be different than that for code delivered to customers. Venafi CodeSign Protect allows your organization to set up a variety of roles with very specific permissions.
These are the users that will be signing code as part of their normal day-to-day job. They demand that code signing be fast and easy. They are not PKI experts. They don’t know how to have code signing certificates issued nor may completely understand the importance of protecting the private key. CodeSign Protect makes code signing both easy and fast for these power users. They continue to use the same code signing tools they normally use. However, their software never leaves their local build machine and the private code signing keys never leave your secured storage location. You get the best of both worlds—a balance between speed and security.
These are the people who determine that a particular software release is complete, has been thoroughly tested, and is ready for delivery to customers. This role is responsible for approving the use of a particular code signing certificate by a particular individual. Without this role, anyone could use a code signing certificate for any circumstance. With CodeSign Protect, users can specify who is responsible for approving usage, even if that means multiple layers of approvals are needed.
InfoSec understands security. They understand Certificate Authorities. They know which best practices should be followed and which policies should be enforced. But, they may not know everything about software development. With CodeSign Protect, there is a dedicated role for setting up certificate policies for everything from encryption algorithms to which certificate authorities are needed, and more. After policies are defined, InfoSec teams do not need to be involved with code signing because CodeSign Protect enforces policies through a self-service solution for developers and approvers.
PKI teams are often understaffed. Traditionally they have been the keepers of all things PKI and have often become the bottleneck of a software release because they were the only ones who had access to code signing private keys. With CodeSign Protect, code signing-as-a-service becomes a reality and frees up the PKI team to do more important things than signing software releases.
If you are dealing with either internal or external auditors, you’ve probably been faced with questions like: which code signing certificates are in use, who has authority to sign code, who approves, what is your policy, how is your policy enforced, and how many code signing operations have occurred over the past 6 months. CodeSign Protect provides an irrefutable record of all code signing activities to satisfy the requirements of just about any audit.