Beyond Identity announced a solution that closes a critical vulnerability and secures the software supply chain against insider threats and malicious attacks. Beyond Identity’s new Secure DevOps product establishes a simple, secure, and automated way to confirm that all source code entering a corporate repository and processed by the continuous integration/continuous deployment (CI/CD) pipeline is signed by a key that is cryptographically bound to a corporate identity and device. This ensures trust, integrity, and auditability for every piece of source code that is built into the end software product.
As software development moved to the cloud, the build environment became an attractive target for malicious actors looking to establish deep and broad compromise within organizations. From SolarWinds to Kaseya, the vulnerability of the software supply chain and the potential for damage has never been more clear or urgent. However, the speed and highly distributed nature of agile software development processes resists tighter security controls.
Today, it is virtually impossible to track source code provenance because developers often don’t sign source code committed to corporate repositories, and those that do typically use keys tied to a personal identity rather than a validated corporate identity. Currently, source code signing is highly manual and requires centralized key management, where key sprawl is high, and keys cannot be trusted because they can be moved from one device to another. While signing binaries exiting the CI/CD pipeline is common practice, this only ensures that production code was built by the organization and leaves the earlier part of the process vulnerable to a rogue engineer or adversary.
“Agile software development accelerated the speed of innovation and changed the game for so many companies,” said Johnathan Hunt, Vice President of Security at GitLab. “We believe that by using a single DevOps platform like GitLab that embeds security early within every stage of the DevOps lifecycle, developers can reduce regressive rework and minimize vulnerabilities. We appreciate the value that Beyond Identity brings in further fortifying the security of source code commits and protecting against malicious code injection.”
Beyond Identity’s solution ensures source code signing keys are trustworthy by tying them explicitly to a corporate identity and a specific device. With an extremely easy, one-time setup for engineers and DevSecOps teams, the solution creates unmovable GPG keys that are bound to, and secured in hardware enclaves on, work-issued systems.
This also enables greater centralized control and key revocation. Doing so allows complete tracking of source code provenance for the purposes of QA and forensic audit. In the past, key management as a service required developers to manage keys themselves, without consistent, secure storage, leaving open the risky behavior of moving keys to multiple devices with relative ease.
“As a business that is cloud-based, the Beyond Identity authentication approach was a no-brainer for us,” said Mario Duarte, Vice President of Security at Snowflake. “As I looked closer at their innovative architecture, I saw instant applicability, and huge value specifically, with source code signing and GitHub. It was a perfect opportunity to work with Beyond Identity to design a product that’s tailor-made to address these security concerns.”
“Waiting until after the build to sign code, while easier, is like signing a contract without reviewing the fine print,” said TJ Jermoluk, CEO of Beyond Identity. “Much like a contract, the devil is buried in the details among multiple developers and a multitude of source code commits. And as we’ve seen recently, malicious injections can evade detection for years and compromise multiple companies – regardless of the strength of their organizational security posture. As we’ve done with our Secure Work product, taking the risk – and burden – of passwords and signing keys out of users’ hands not only greatly improves security, but also greatly accelerates access and productivity.”