Beyond Identity Closes Software Supply Chain Vulnerability
September 2021 by Marc Jacob
Passwordless MFA provider Beyond Identity announced a groundbreaking solution that closes a critical vulnerability and secures the software supply chain against insider threats and malicious attacks. Beyond Identity’s new Secure DevOps product establishes a simple, secure, and automated way to confirm that all source code entering a corporate repository and processed by the continuous integration/continuous deployment (CI/CD) pipeline is signed by a key that is cryptographically bound to a corporate identity and device. This ensures trust, integrity, and auditability for every piece of source code that is built into the end software product.
As software development moved to the cloud, the build environment became an attractive target for malicious actors looking to establish deep and broad compromise within organizations. From SolarWinds to Kaseya, the vulnerability of the software supply chain and the potential for damage has never been more clear or urgent. However, the speed and highly distributed nature of agile software development processes resists tighter security controls. Today, it is virtually impossible to track source code provenance because developers often don’t sign source code committed to corporate repositories, and those that do typically use keys tied to a personal identity rather than a validated corporate identity.
Currently, source code signing is highly manual and requires centralized key management, where key sprawl is high, and keys cannot be trusted because they can be moved from one device to another. While signing binaries exiting the CI/CD pipeline is common practice, this only ensures that production code was built by the organization and leaves the earlier part of the process vulnerable to a rogue engineer or adversary.
Beyond Identity’s revolutionary solution ensures source code signing keys are trustworthy by tying them explicitly to a corporate identity and a specific device. With an extremely easy, one-time setup for engineers and DevSecOps teams, the solution creates unmovable GPG keys that are bound to, and secured in hardware enclaves on, work-issued systems. This also enables greater centralized control and key revocation. Doing so allows complete tracking of source code provenance for the purposes of QA and forensic audit. In the past, key management as a service required developers to manage keys themselves, without consistent, secure storage, leaving open the risky behavior of moving keys to multiple devices with relative ease.