Introduces Secure and Automated Way to Ensure All Source Code Entering GitHub, GitLab, and Bitbucket Repositories is Signed by a Developer With a Validated Corporate Identity
Passwordless MFA provider Beyond Identity today announced a groundbreaking solution that closes a critical vulnerability and secures the software supply chain against insider threats and malicious attacks. Beyond Identity’s new Secure DevOps product establishes a simple, secure, and automated way to confirm that all source code entering a corporate repository and processed by the continuous integration/continuous deployment (CI/CD) pipeline is signed by a key that is cryptographically bound to a corporate identity and device. This ensures trust, integrity, and auditability for every piece of source code that is built into the end software product.
As software development moved to the cloud, the build environment became an attractive target for malicious actors looking to establish deep and broad compromise within organizations. From SolarWinds to Kaseya, the vulnerability of the software supply chain and the potential for damage has never been more clear or urgent. However, the speed and highly distributed nature of agile software development processes resists tighter security controls. Today, it is virtually impossible to track source code provenance because developers often don’t sign source code committed to corporate repositories, and those that do typically use keys tied to a personal identity rather than a validated corporate identity. Currently, source code signing is highly manual and requires centralized key management, where key sprawl is high, and keys cannot be trusted because they can be moved from one device to another. While signing binaries exiting the CI/CD pipeline is common practice, this only ensures that production code was built by the organization and leaves the earlier part of the process vulnerable to a rogue engineer or adversary.
“Agile software development accelerated the speed of innovation and changed the game for so many companies,” said Johnathan Hunt, Vice President of Security at GitLab. “We believe that by using a single DevOps platform like GitLab that embeds security early within every stage of the DevOps lifecycle, developers can reduce regressive rework and minimize vulnerabilities. We appreciate the value that Beyond Identity brings in further fortifying the security of source code commits and protecting against malicious code injection.”
Beyond Identity’s revolutionary solution ensures source code signing keys are trustworthy by tying them explicitly to a corporate identity and a specific device. With an extremely easy, one-time setup for engineers and DevSecOps teams, the solution creates unmovable GPG keys that are bound to, and secured in hardware enclaves on, work-issued systems. This also enables greater centralized control and key revocation. Doing so allows complete tracking of source code provenance for the purposes of QA and forensic audit. In the past, key management as a service required developers to manage keys themselves, without consistent, secure storage, leaving open the risky behavior of moving keys to multiple devices with relative ease.
“As a business that is cloud-based, the Beyond Identity authentication approach was a no-brainer for us,” said Mario Duarte, Vice President of Security at Snowflake. “As I looked closer at their innovative architecture, I saw instant applicability, and huge value specifically, with source code signing and GitHub. It was a perfect opportunity to work with Beyond Identity to design a product that’s tailor-made to address these security concerns.”
“Waiting until after the build to sign code, while easier, is like signing a contract without reviewing the fine print,” said TJ Jermoluk, CEO of Beyond Identity. “Much like a contract, the devil is buried in the details among multiple developers and a multitude of source code commits. And as we’ve seen recently, malicious injections can evade detection for years and compromise multiple companies – regardless of the strength of their organizational security posture. As we’ve done with our Secure Work product, taking the risk – and burden – of passwords and signing keys out of users’ hands not only greatly improves security, but also greatly accelerates access and productivity.”
To learn more about Beyond Identity’s Secure DevOps product, please visit:https://www.beyondidentity.com/blog/introducing-code-commit-signing-secure-your-sdlc
About Beyond Identity
Beyond Identity provides the most secure authentication platform in the world. Breaking down barriers between cybersecurity, identity, and device management, Beyond Identity fundamentally changes the way the world logs in – eliminating passwords and providing users with a frictionless, multi-factor login experience. Beyond passwordless, the company provides the zero-trust access needed to secure hybrid work environments, where tightly controlling which users and which devices are accessing critical cloud resources has become essential. The advanced platform collects dozens of user and device risk signals during each login – enabling customers to enforce continuous, risk-based access control. The innovative architecture replaces passwords with the proven asymmetric cryptography that underpins TLS and protects trillions of dollars in transactions daily. Customers turn to Beyond Identity to stop cyberattacks, protect their most critical data, and meet compliance requirements.
The company was founded by Jim Clark and TJ Jermoluk, who helped ignite the commercial internet with Netscape and @Home Network. The dynamic duo assembled an all-star team and created the world’s most advanced passwordless identity platform, at a time when digital transformation is impacting every business and cyberattacks have become a top risk. The company has raised $105 million from premier investors Koch Disruptive Technologies (KDT) and New Enterprise Associates (NEA). Beyond Identity is headquartered in New York City with offices in Boston, Dallas, Miami, and London. Visit www.beyondidentity.com for more information.
All product and company names herein may be trademarks of their respective owners.