Software Supply
Chain Security

Granular account management and user access controls

Configure workflows that give you centralized control over your security policies:

• Configure and standardize workflow features, user structures, roles and permissions
• Easy-to-generate dedicated private CA for facilities with site-specific requirements
• Enterprise-wide certificate landscape with import and export of self-signed, private and public end-entity certificates from any CA
• Easy-to-audit tracking of signing activity with timestamping for rapid remediation

Key and certificate security controls

Prevent unauthorized access and use of signing keys with secure key storage, access, and handling:

• Integration with on-premises or cloud-delivered HSMs
• Key access profiles that map to key handling needs: production, test, on-demand, offline, open, restricted
• Static, dynamic, and roaming usage models
• Dual-user confirmation options
• Certificate profile templates and workflows
• Fine-grained granular key access authorization with multi-factor authentication  

Release process controls

Prevent malware from being injected to build servers, with verification that code being signed during the release process matches a baseline build.

Threat Detection

Powered by ReversingLabs, deep analysis of software binaries for threats, software tampering, and other vulnerabilities:

• Uses the world’s largest private database of known malware signatures
• Scans any type of software binary
• Generates a Software Bill of Materials, even for components from third-party open-source and proprietary software

Seamless integration with DevOps workflow

Gain workflow and process security without slowing down agile development objectives:

• Native integration with DevOps CI/CD tools, such as Jenkins, Azure Pipelines, Gradle and more via PKCS11/KSPs
• Hash signing to reduce latency while keeping code secure
• Signing via API, command-line, or console
• Common interface to multiple signing tools

FLEXIBLE DEPLOYMENT THAT SCALES

Streamline deployment and new feature rollout with a container-based architecture that future-proofs your investment and enables you to stay abreast of industry compliance requirements:

• Achieve fast time to value with a container-based architecture that is rapidly deployed and highly scalable
• Flexibility in deployment models: on-premises, public or private cloud, or hybrid
• Pair with local datacenters for in-country requirements
• Dedicated private CA options

What is software and code signing?

Code signing is a method to confirm that code or other digital binaries have not been altered. This method leverages the Public Key Infrastructure (PKI) framework to attest to the integrity of the code or binaries. Code signing acts like a digital shrink wrap.

The process:

• Signing creates a “package” with the signed code or file.
• The signed code is sent.
• If the “packaging” was not damaged in transit, the recipient knows the file has not been tampered with. It can be trusted.
• If the “packaging” was damaged then the file has been tampered with and cannot be trusted.

Why is code signing important?

Code signing minimizes the risks of code tampering. With signed code, the recipient gets a security warning when the integrity check fails during download. This helps recipients to avoid downloading tampered code which may contain malware. Code signing is an important part of software trust management.