Freely subscribe to our NEWSLETTER

As software development moved to the cloud, the build environment became an attractive target for malicious actors looking to establish deep and broad compromise within organizations. From SolarWinds to Kaseya, the vulnerability of the software supply chain and the potential for damage has never been more clear or urgent. However, the speed and highly distributed nature of agile software development processes resists tighter security controls. Today, it is virtually impossible to track source code provenance because developers often don’t sign source code committed to corporate repositories, and those that do typically use keys tied to a personal identity rather than a validated corporate identity.

Currently, source code signing is highly manual and requires centralized key management, where key sprawl is high, and keys cannot be trusted because they can be moved from one device to another. While signing binaries exiting the CI/CD pipeline is common practice, this only ensures that production code was built by the organization and leaves the earlier part of the process vulnerable to a rogue engineer or adversary.

Beyond Identity’s revolutionary solution ensures source code signing keys are trustworthy by tying them explicitly to a corporate identity and a specific device. With an extremely easy, one-time setup for engineers and DevSecOps teams, the solution creates unmovable GPG keys that are bound to, and secured in hardware enclaves on, work-issued systems. This also enables greater centralized control and key revocation. Doing so allows complete tracking of source code provenance for the purposes of QA and forensic audit. In the past, key management as a service required developers to manage keys themselves, without consistent, secure storage, leaving open the risky behavior of moving keys to multiple devices with relative ease.