New Integration Cryptographically Binds Access and Code Signing Keys to Valid Corporate Identities and Authorized Devices to Dramatically Reduce Critical Vulnerabilities
NEW YORK and SAN FRANCISCO, June 27, 2022 – Today, Beyond Identity, the leading provider of unphishable MFA, and GitLab Inc., the provider of The One DevOps Platform, announced a new partnership and integration that enables customers to prevent intentional vulnerabilities from being introduced into DevOps environments and to dramatically reduce the risk of supply chain attacks. The integration between Beyond Identity and GitLab enables companies to ensure that only authorized users working from company-approved and secure computers can access code repositories or sign source code during commit activities. Beyond Identity extends the continued security enhancements and API hooks the GitLab team has released to also add in the unique capability of associating an SSH or GPG key with a known corporate identity. These capabilities are available today.
GitLab’s One DevOps Platform supports essential security capabilities, including the ability to use cryptographic keys to control access and sign source code entering the repository. These advanced capabilities are critical to reducing vulnerabilities that most organizations, even advanced shops, currently have in their DevOps environments. This enables organizations to tightly control access to the source and infrastructure code in repositories and gain visibility into exactly who is committing code. In the past, DevOps teams have typically not required this, and in the rare cases where they have, the SSH and GPG keys used to access repos and sign commits are not bound to an authorized corporate identity. Further, there is no way to ensure that engineers work from an authorized and appropriately secure computer. These issues leave the door wide open to malicious code injection attacks.
“GitLab continues to stress capabilities and partnerships that help joint customers raise the security of their DevOps tooling as attackers continue to prey on lax security in these environments,” said Johnathan Hunt, Vice President of Security at GitLab. “We are very excited by the Beyond Identity partnership and the impact their integration can have on enhancing security for GitLab customers.”
Beyond Identity’s Secure DevOps solution is designed to prevent credential-based breaches by automating and securing digital access for developers, enabling secure repository access and check-ins. GitLab’s focus on security and essential integration hooks enable Beyond Identity to mint SSH and GPG keys that are cryptographically tied to a known and authorized corporate identity and to an authorized computer. This integration enables DevSecOps teams to lock down the repo and ensure that a valid corporate identity signs every piece of code committed to the repo. The integration also allows DevSecOps teams to validate that each piece of code entering the CI/CD pipeline is checked to ensure authorized users signed it – typically as the first step in the CI pipeline.
The Secure DevOps integration with GitLab can help with the following:
- Stop malicious actors or rogue insiders from injecting malware into source code and protect SaaS, PaaS, and IaaS services and apps from backdoors.
- Control repository access and stop introducing unauthorized malicious code to customers (e.g., SolarWinds).
- Prevent bad actors and insiders from making network/system infrastructure settings and introducing hard-to-detect vulnerabilities and backdoors by manipulating infrastructure as code now stored in repositories.
- Confirm that every piece of source or infrastructure code is signed and cryptographically bound to an authorized user so that organizations have perfect visibility into who contributed to every commit – ensuring that issues found by code scanning tools can be immutably tracked to a specific identity.
- Ensure that engineers and contractors are using authorized and proven secure computers to access or commit code – thwarting attacks by adversaries that prey on poorly secured endpoints.
“After SolarWinds, Heroku, and Kaseya, organizations worldwide are digging into how to protect their code better,” said Dr. Jasson Casey, CTO of Beyond Identity. “This is more important than ever as modern DevOps supports tooling needed to protect both source and infrastructure code. While code scanning tools are an important part of the equation, they don’t uncover every vulnerability, and when they do find an issue, organizations have no clear visibility into who contributed the malicious artifact. This partnership enables organizations to ‘shift left’ and protect access to repositories and provide cryptographic visibility into who makes each change.”
About Beyond Identity
Beyond Identity is fundamentally changing how the world logs in with a groundbreaking invisible, unphishable MFA platform that provides the most secure and frictionless authentication on the planet. We stop ransomware and account takeover attacks in their tracks and dramatically improve the user experience. Beyond Identity’s state-of-the-art platform eliminates passwords and other phishable factors, enabling organizations to confidently validate users’ identities. The solution ensures users log in from authorized devices, and that every device meets the security policy requirements during login and continuously after that. Our revolutionary approach empowers zero trust by cryptographically binding the user’s identity to their devices and analyzing hundreds of risk signals on an ongoing basis. The company’s advanced risk policy engine enables organizations to implement foundationally secure authentication and utilize risk signals for protection, rather than just for detection and response. For more information on why Unqork, Snowflake, and Roblox use Beyond Identity, please visit www.beyondidentity.com.