Beyond Identity Develops Solution to Protect Software Supply Chain from Attacks

Enterprise Security Magazine | Thursday, September 30, 2021

Secure DevOps will verify all source codes entering the corporate system to prevent software supply chain attacks.

FREMONT, CA: Beyond Identity develops a groundbreaking solution to secure the software supply chain against inside threats and malicious attacks. The Secure DevOps product from Beyond Identity creates a simple, secure, and automated way to verify that all source code entering a corporate repository and processed by the continuous integration/continuous deployment (CI/CD) pipeline is signed by a key cryptographically bound to corporate identity and device. Every source code built into the finished software product has trust, integrity, and auditability.

“Agile software development accelerated the speed of innovation and changed the game for so many companies,” said Johnathan Hunt, Vice President of Security at GitLab. “We believe that by using a single DevOps platform like GitLab that embeds security early within every stage of the DevOps lifecycle, developers can reduce regressive rework and minimize vulnerabilities. We appreciate the value that Beyond Identity brings in further fortifying the security of source code commits and protecting against malicious code injection.”

Beyond Identity's breakthrough method ensures trustworthiness by explicitly connecting source code signing keys to corporate identity and a specific device. The solution provides unmovable GPG keys tied to and secured in hardware enclaves on work-issued PCs with an effortless, one-time setup for engineers and DevSecOps teams. Greater centralized control and key revocation are also possible. This enables complete source code provenance monitoring for QA and forensic audit reasons. Previously, key management as a service allowed developers to manage keys individually, without consistent, secure storage, allowing the unsafe practice of quickly shifting keys to various devices accessible.

“As a business that is cloud-based, the Beyond Identity authentication approach was a no-brainer for us,” said Mario Duarte, Vice President of Security at Snowflake. “As I looked closer at their innovative architecture, I saw instant applicability, and huge value specifically, with source code signing and GitHub. It was a perfect opportunity to work with Beyond Identity to design a product that’s tailor-made to address these security concerns.”

“Waiting until after the build to sign code, while easier, is like signing a contract without reviewing the fine print,” said TJ Jermoluk, CEO of Beyond Identity. “Much like a contract, the devil is buried in the details among multiple developers and a multitude of source code commits. And as we’ve seen recently, malicious injections can evade detection for years and compromise multiple companies – regardless of the strength of their organizational security posture. As we’ve done with our Secure Work product, taking the risk – and burden – of passwords and signing keys out of users’ hands not only greatly improves security, but also greatly accelerates access and productivity.”