Keeper Security Protects Against Supply Chain Attacks with New Open Source Project

Date:

Share post:

Keeper Security, the leading provider of zero-trust and zero-knowledge cybersecurity software protecting passwords, passkeys, privileged access, secrets and remote connections, today announces a new open source project for software developers and DevOps to easily and securely sign git commits with their Keeper vault. Through Keeper Secrets Manager, users can now use Secure Shell (SSH) keys stored in their Keeper Vault to digitally sign commits to confirm the authenticity of their code.

Git is a version control system that tracks changes in your software projects, and a git commit is a snapshot of these changes at a specific point in time, accompanied by a brief message describing the modifications. Keeper and developers at The Migus Group teamed up to create the open-source solution to sign git commits using the SSH keys stored in a user’s Keeper Vault. The integration provides developers with a secure and encrypted repository for their SSH keys and removes the practice of storing them on disk, both increasing security and streamlining DevOps workflows.

The rise in software supply chain attacks highlights the need for organizations to prioritize security around the software supply chain. Signing git commits is a recommended best practice for developers to confirm the authenticity and integrity of code releases. As developers sign commits with SSH keys, they are provided with cryptographic proof of authorship, which helps secure the supply chain by assuring users the software originates from a legitimate source and remains unaltered since its signing. Digital signatures can also feed into a Software Bill of Materials to indicate whether a line-item in the SBOM is trusted, depending on the code signature status. 

“The ability to store SSH keys and other credentials in Keeper Vault offers a layer of protection and ease-of-use that hasn’t been the standard,” said Craig Lurey, CTO and Co-founder of Keeper Security. “Our integration enables developers to validate the software code with a cryptographic digital signature and transparent logging, making what historically has been a complex process into a simple one. In the future, all code will be signed, and the software supply chain will have one source of truth that will reduce supply chain attacks.” 

“Our customers are asking for help insulating themselves from supply chain attacks, so we were already working to do that, often using Keeper,” said Adam Migus, Founder and CEO of The Migus Group. “So, we thought working with them to make the git commit-signing process both safer and easier would be a win-win-win. Our customers can now seamlessly sign commits with keys that never leave their vaults. However, the broader community also gains an example of secure commit signing with benefits of central key management.”

 Also Read: Best Practices for PHP Developers

The SSH keys for signing commits are secured in KSM, a fully managed cloud-based, zero-knowledge platform for securing infrastructure secrets such as API keys, database passwords, SSH keys, certificates and any type of confidential data. KSM eliminates secrets sprawl by removing hard-coded credentials from source code, config files and CI/CD systems. The fully managed, cloud-based and IT friendly solution was named an overall leader on the 2023 KuppingerCole Leadership Compass for Secrets Management. KSM is supported on Windows, MacOS and Linux. It utilizes a zero-knowledge security architecture and is highly secure with ISO 27001 and SOC 2 compliance, as well as FedRAMP and StateRAMP Authorization, among numerous other certifications.

Keeper’s integration helps support a broader government and industry effort to bring increased security and visibility to the open source community. The ease of providing a cryptographic digital signature allows developers to validate that the software in use is exactly what it is claiming to be and enhances security for both developers and end-users alike.

TalkDev Bureau
TalkDev Bureau
The TalkDev Bureau has five well-trained writers and journalists, well versed in B2B enterprise technology industry, and constantly in touch with industry leaders for the latest trends, opinions, and other inputs- to bring you the best and latest in the domain.
spot_img

Related articles

How Does the Kernel Work in the Operating System (OS)

Explore the core of the Operating System (OS) - the Kernel. Unveil its key role in managing system...

Wondershare Unveils Filmora 13.3: Revolutionizing Video Editing with Improved UI, UX, and Advanced Color Grading Features

Wondershare has released Filmora 13.3, the latest flagship video editing software update. This version introduces significant UI and...

Apple Removes WhatsApp and Threads from China App Store on Government Order Citing National Security

Apple has removed Meta Platforms' WhatsApp and Threads from its App Store in China due to national security...

Meta Platforms Unveils Llama 3 AI and Real-Time Image Generator to Rival OpenAI

Meta Platforms has launched early versions of its latest large language model, Llama 3, and an image generator...