In today’s software-driven, highly interconnected business landscape, trust is non-negotiable. Having the right solutions and practices in place that help establish and preserve digital trust is highly critical for business survival and growth.
That’s why, we are pleased to announce the launch of our new code signing solution, AppViewX SIGN+.
AppViewX SIGN+ is a fast, reliable, and secure code signing solution built to protect the integrity of code, containers, firmware, and software. With a centralized and integrated approach, AppViewX SIGN+ is designed to simplify code signing for DevOps, enhance software supply chain security, and extend trust to end users.
Before diving into the capabilities of AppViewX SIGN+, let us first understand why code signing is essential for establishing digital trust in modern software supply chains.
Why Code Signing Matters?
Code Signing is a process of digitally signing code, software, firmware, or mobile applications to assure the end users of their authenticity and integrity. It also allows software providers to protect intellectual property, ensure compliance, strengthen software supply chain security, and uphold their brand reputation.
Given its advantages, code signing is now being applied to various other enterprise use cases, such as DevOps, SecOps, IoT, Software Development Kits (SDKs) and Frameworks, Infrastructure Provisioning, and more.
However, Unreliable Code Signing Practices Put Businesses At Greater Risk
The importance of code signing in protecting organizations against malware injection, software and code tampering, and impersonation attacks is beyond question. Yet, code signing can become a potential gateway for these attacks when it is not securely implemented. The attacks can continue to occur and even go undetected when code signing keys, certificates, and processes are not properly managed.
We all know the catastrophic domino effect triggered by the SolarWinds code signing attack (SUNBURST). The software supply chain attack left thousands of organizations struggling to cope with the data breach, financial losses, regulatory penalties, and reputational damage caused by the attack.
Although the SUNBURST attack served as a watershed moment, highlighting the need to secure and manage code signing processes better, numerous alarming code signing related incidents have occurred since, such as the code signing certificate theft suffered by Nvidia and GitHub.
With the surge in software consumption and rapid adoption of DevOps practices, code signing has become an enticing target for threat actors, offering them a relatively effortless route to infiltrate even the most secure organizations.
Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.
Despite the glaring threat and the severity of consequences, most organizations are still struggling to implement secure code signing best practices. Many still cling to ad-hoc and disjointed processes that are highly unreliable and expose organizations and their software to vulnerabilities and attacks.
Some of these practices include:
- Private Key Mismanagement: Private keys are a huge target yet continue to be stored insecurely and managed locally by developers, exposing organizations to private key theft and misuse.
To ensure robust private key protection, the CA/Browser Forum recently passed a mandate that requires all publicly trusted code signing private keys to be generated and stored in secure hardware crypto modules such as hardware security modules (HSMs) that are at least FIPS 140-2 Level 2 or Common Criteria EAL 4+ and not on local machines.
- Inefficient Signing Processes: Traditional code signing methods lack integration with native DevOps tools and processes, causing delays and impacting agility. Using individual crypto tokens for private key storage complicates code signing for developers, as they are not practical or scalable for distributed teams. Alternatively, private keys can be securely stored on Hardware Security Modules (HSMs), however, connecting enterprise systems to the HSM for signing is a complex process.
- Lack of Visibility or Control Over Code Signing Events: With developers using different signing tools and managing private keys independently, security teams lack visibility into code signing certificate storage, key access, and signing events across their organization. This creates security risks and compliance issues.
How Does AppViewX SIGN+ Simplify Code Signing and Ensure Security?
Here’s a look into the AppViewX SIGN+ capabilities that help organizations overcome these challenges and make code signing secure, seamless, and controlled for DevOps and security teams.
With AppViewX SIGN+, private keys are generated and stored securely in FIPS 140-2 certified HSMs as mandated by the CA/Browser Forum. It integrates seamlessly and directly with both cloud-based and on-premises HSMs for fast and secure signing. Users also have the flexibility to opt for a compliant HSM of their choice (on-premises or cloud based) or choose code signing as a service. Along with protecting signing keys on compliant HSMs, security teams are able to manage key access and usage centrally, which significantly reduces the risk of private key theft and misuse.
AppViewX SIGN+ makes code signing easy and seamless for distributed development teams with integrated and flexible signing options from native signing tools, CI/CD pipeline, custom workflows, and the AppViewX SIGN+ console. Integrated code signing makes the signing process efficient for developers, allowing them to sign code from anywhere and from any signing tool without worrying about key management and storage. AppViewX SIGN+ also supports a wide range of file types developers use, including Windows Applications, libraries, OCX files, Kernel drivers, Apple software, Microsoft Office VBA objects, JAR files, .air or .airi files, containers, and Android APK files.
AppViewX SIGN+ enables policy-controlled signing through granular Role-based Access Control (RBAC) and user authentication and authorization to facilitate a secure code signing process. It provides intuitive dashboards and detailed audit logs and reports to track code signing events, simplify audits, and ensure continuous compliance. Having crucial information all in one place improves visibility and gives security teams complete control over code signing keys, certificates, and signing events across the enterprise.
The integrations and flexibility of AppViewX SIGN+ enables code signing processes to be seamless to DevOps processes and give security teams the visibility and control they need.
“As a cloud-based HSM provider, Fortanix quickly enables DevOps teams to implement a solution that meets the CA/B Forum requirement for protecting their code signing private keys. With our partnership with AppViewX, we can now jointly offer an end-to-end code signing solution that makes the process secure, seamless and controlled for distributed development teams of all sizes.”
- Faiyaz Shahpurwala, Chief Product and Strategy Officer at Fortanix
Get Started with AppViewX SIGN+
AppViewX SIGN+ is available now and can be deployed on premises or consumed as a SaaS solution. It is part of the AppViewX Digital Trust Platform that includes AppViewX CERT+, AppViewX PKI+, and AppViewX KUBE+ for automating PKI and certificate lifecycle management across complex hybrid multi-cloud and Kubernetes environments.
If you are ready to unlock the benefits of AppViewX SIGN+ and take your code signing to the next level, head to our product page now to request a personalized demo.
Simplify code signing for your DevOps teams and safeguard your software supply chain with fast, reliable, and secure code signing from AppViewX SIGN+. Contact us today!