industry news
Subscribe Now

Keyfactor and Thales Address Code Signing Cyber-Attacks Targeting Businesses

Security leaders announce industry-first code signing product

CLEVELAND, Ohio, June 17, 2019 – Keyfactor, a leading provider of secure digital identity management solutions, today announced a new integration with Thales that combines Keyfactor’s code signing platform with the high-assurance key protection of Thales’ SafeNet Cloud HSM On-Demand. The result of this partnership, KeyfactorTM Code Assure, delivers secure code signing to software vendors, mobile app developers, enterprise IT organizations, and manufacturers of IoT devices.

“We’re seeing a rise in threats against code signing operations, like the recent ASUS hack where attackers exploited code to plant and deploy malware when businesses ran standard updates,” said Jordan Rackie, Chief Executive Officer at Keyfactor. “These attacks erode the fabric of trust that consumers and business users alike place in software publishers and device manufacturers. This partnership and our highly integrated, hybrid approach uphold digital trust, making end-to-end protection against evolving code signing-based attacks simpler for innovative DevOps teams and software providers.”

Code signing certificates are used to digitally sign applications, drivers and software, allowing end users to verify the authenticity of the publisher. Cyber-attackers can forge and compromise vulnerable certificates and keys, often planting malware that detonates once a firmware or software update is installed on a user’s system. Recent research pegs the cost of code signing certificate and key misuse at $15 million and estimates a 29 percent likelihood that organizations will experience code signing incidents over the next two years.

“Complete protection and control of code signing keys is challenging for most businesses, especially as infrastructure and development teams are widespread across the globe,” said Ted Shorter, Chief Technology Officer and Co-founder at Keyfactor. “Faster release cycles and frequent code changes in DevOps environments leave security teams fighting to keep pace. Thales and Keyfactor designed Keyfactor Code Assure to empower innovators, enabling them to secure code signing at the speed of DevOps.”

Keyfactor Code Assure stores all code signing certificates from disparate network locations (i.e. developer workstations, build servers, and thumb drives) in a centralized and secure HSM, Thales’ SafeNet Cloud HSM On-Demand. Once inside, the certificates never leave the vault. Only developers with the right access can request code signage, where it is then signed and returned to the user. Access controls ensure that only developers with the right privileges can sign software and firmware during the time windows designated by the certificate owner.

“The Keyfactor platform has many applications for helping secure the Internet of Things, manufacturing, connected automobiles as well as code signing. The flexibility of these cloud solutions means customers can move their enterprise services to the cloud and get all the benefits of owning PKI while minimizing the risks,” said Todd Moore, Senior Vice President of Encryption Products at Thales.

Gartner Inc., a research and advisory firm, recommends companies “leverage code repositories by enabling signing and time stamping code when it’s checked in to build up a history over time that can inform specific secure coding behaviors.”*

Keyfactor Code Assure has already been adopted by Fortune 500 leaders that value security and trust as utmost priority. This integration allows these organizations to:

  • Defend their business and users against the rising threat of code signing hacks
  • Get complete visibility and control of keys and certificates for security teams
  • Enable DevSecOps with simple and secure workflows for developers
  • Deploy with zero disruption to existing SDLC or build processes
  • Support secure code signing of virtually any code, anywhere – including Windows binaries, Java, IoT firmware, and more
  • Empower distributed development teams with a unique, patented technology to sign code from build servers and workstations – without the private keys ever leaving the auditable, protected confines of a Hardware Security Module (HSM)

For more information on Keyfactor Code Assure, please visit

Leave a Reply

featured blogs
Apr 7, 2020
Have you seen the video that describes how the coronavirus has hit hardest where 5G was first deployed?...
Apr 7, 2020
In March 2020, the web team focused heavily on some larger features that we are working on for release in the spring. You’ll be reading about these in a few upcoming posts. Here are a few smaller updates we were able to roll out in March 2020. New Online Features for Ma...
Apr 6, 2020
My latest video blog is now available. This time I am looking at the use of dynamic memory in real-time embedded applications. You can see the video here or here: Future video blogs will continue to look at topics of interest to embedded software developers. Suggestions for t...
Apr 3, 2020
[From the last episode: We saw some of the mistakes that can cause programs to fail and to breach security and/or privacy.] We'€™ve seen how having more than one program or user resident as a '€œtenant'€ in a server in the cloud can create some challenges '€“ at leas...

Featured Video

Industry’s First USB 3.2 Gen 2x2 Interoperability Demo -- Synopsys & ASMedia

Sponsored by Synopsys

Blazingly fast USB 3.2 Gen 2x2 are ready for your SoC. In this video, you’ll see Synopsys and ASMedia demonstrate the throughput available with Synopsys DesignWare USB 3.2 IP.

Learn more about Synopsys USB 3.2