Unbound Security unveiled code signing key protection capabilities within Unbound CORE to ensure enterprises defend against the rise in software supply chain attacks.
Unbound CORE’s advanced code signing solution offers an enhanced approach with server-side deployment to enable centralized management and “scan-before-sign” capabilities in addition to client-side code signing approaches. As a result, enterprises can prevent both key theft and misuse, previously impossible with client-side tools.
Once hackers gain access to a code signing key, either through stealing the key or penetrating a build server, they can easily disguise malware and introduce risk to the entire software supply chain. Placing these keys inside a hardware security module (HSM) or a cloud-based key management system (KMS) can help protect against theft but not misuse. Holding the key in the same location as the data also increases security risks and creates complex fragmentation.
Powered by multiparty computation (MPC), Unbound CORE splits a secret key into multiple pieces and places them on different servers and devices. Because the key is never assembled, even during its generation, it is impossible for hackers to gain access to vital information. Having this functionality on the server-side avoids the need to install, manage and patch or upgrade client-side tools and makes it possible to prevent key misuse.
With the platform’s new “scan-before-sign” functionality, enterprises can enforce global security policies, such as having code scanned for malware or checked by multiple internal stakeholders before it can be signed.
Yehuda Lindell, CEO at Unbound Security, comments: “Many of our clients specifically requested we introduce ‘scan-before-sign’ because they’ve not been able to access it elsewhere until now. Having central visibility of all keys, including who uses them, is vital and our latest version of CORE takes code signing to the next level. We see this a game-changer in the prevention of supply chain attacks, which continue to make headlines and are a major threat for software providers.”
Unisys, the global IT solutions company, has already deployed Unbound CORE to strengthen its security with centralized management of code signing and cryptographic keys. Mathew Newfield, chief information officer and chief security officer at Unisys, comments: “As a global technology company, Unisys needed to advance our code signing ability and this was a high priority item and a critical component in our partnership with Unbound. Not only did we need to make sure that the code that we’re developing is not being modified, free of malware and only modifiable with the appropriate permissions, but we also needed to prove full chain of custody. With Unbound CORE managing our code signing keys, we are applying the highest level of security, as well as are able to show that our code was properly implemented into the target environment.”
Unbound CORE creates a virtual mesh of an enterprise’s key management and protection devices, wherever they are. This provides a unified approach to key storage, giving organizations unbeatable security and the freedom to choose the key store that best suits their needs.
CORE can be deployed on-premise, on any cloud, across multiple clouds, and in hybrid environments. CORE also eases issues with vendor lock-in for cloud applications and key management systems.