Code Signing Trust

Can we automate
code signing?

Can we automate code signing?

Yes, code signing workflows can be integrated with software development lifecycle (SDLC) process via Application Programmatic Interfaces (APIs) and be automated as part of the process to ensure compliance with industry requirements and corporate security policies.

What is automated code signing?

Code signing automation refers to the centralized management of end-to-end code signing workflows within a software development lifecycle. Automated solutions:

  1. Secure keys, with granular access permissions
  2. Enforce corporate policy, by automating workflows and enabling granular user management with role-based actions and permissions
  3. Centralize tracking and management
  4. Integrate with CI/CD systems and tools

Code signing workflows can be integrated with software development lifecycle (SDLC) processes, such as CI/CD via Application Programmatic Interfaces (APIs), and also automated as part of the process to ensure compliance with industry requirements and corporate security policies. Code signing automation allows for the adoption of code signing practices without impeding the speed of software delivery.

How have software security risks increased?

Security risks related to unsigned code have increased as a result of three trends:

  • Frequency of software builds: Companies have adopted agile development and CI/CD methodologies to shorten release cycles. As a result, software builds and merges take place at a much more rapid pace than in traditional waterfall development models.
  • Increasing complexity of the software supply chain: The software supply chain has grown in size and complexity, and applications and software often embed any number of individual code packages from multiple corporate sources or third-party organizations. Because developer security policies and processes vary from organization to organization, and because software and code are moving within and between organizations in these types of builds, the attack landscape is much broader than in the case where software is developed end-to-end within a single development team.
  • Consequences of breach: High profile cases of ransomware and data breaches have underscored the significant impact that these events can have on brand trust as well as the financial expense of remediation.