In today’s threat landscape, the software supply chain has become a prime target for attackers. From injecting malicious code into legitimate applications to exploiting elevated privileges on developer workstations, adversaries are increasingly focused on the intersection of code creation and endpoint access. For security leaders, this presents a dual challenge: how to secure the code signing process without compromising developer productivity, and how to ensure only trusted code is allowed to execute across the enterprise.
CyberArk addresses this challenge with a powerful joint solution that combines CyberArk Endpoint Identity Security and CyberArk Code Sign Manager — two components of the CyberArk Identity Security Platform that together deliver end-to-end protection for machine identities and endpoint privilege.
The problem: Code signing requires elevated privileges — and that’s a risk
Code signing is a critical step in the software development lifecycle. It ensures the authenticity and integrity of applications, drivers, and scripts. But the process inherently requires elevated privileges, which often leads organizations to grant developers local admin rights — introducing significant risk.
Even after code is signed, many organizations lack the ability to scale the process to match the output of operations through policies that restrict execution to only trusted, signed code. This gap leaves endpoints vulnerable to tampering, unauthorized code execution, and lateral movement.
The Solution: Identity-first security for code signing and execution
CyberArk’s joint solution solves both sides of the problem:
1. Secure code signing with least privilege
Developers use CyberArk Code Sign Manager to sign code in a secure, policy-controlled environment. The tools required for signing are automatically elevated by the privilege elevation and delegation management (PEDM) capabilities of Endpoint Identity Security, eliminating the need for persistent local admin rights.
2. Enforce execution policies based on code integrity
Once code is signed, Endpoint Identity Security enforces granular application control policies. Only code with a valid signature and intact integrity can be executed or elevated — helping companies ensure that tampered or unsigned code is blocked by default.
3. Phishing-resistant MFA and identity assurance
Endpoint Identity Security also verifies the identity of the user performing sensitive actions with modern, phishing-resistant multi-factor authentication (MFA). This ensures that only authorized users can initiate code signing or execute privileged operations.
A real-world use case
Here’s how it works in practice:
- A developer creates a new application or script.
- They initiate the signing process using CyberArk Code Sign Manager. The required signing tools are elevated just-in-time by Endpoint Identity Security, without granting full admin rights.
- The signed code is now trusted. Endpoint Identity Security enforces policies that allow execution only if the signature is valid and the code remains unaltered.
- If the code is modified or the signature is invalidated, execution is blocked — even if the user attempts to elevate privileges.
Why it matters
This joint solution delivers measurable benefits for security and operations:
- Reduces the attack surface by removing local admin rights from developer endpoints.
- Complicates software supply chain attacks by limiting code execution to pre-approved and trusted code only.
- Prevents credential theft and lateral movement through identity security and intelligent privilege controls.
- Enforces Zero Trust principles by validating both user and machine identity before allowing sensitive actions.
- Improves compliance with software integrity and endpoint security mandates.
Final thoughts
As software supply chain attacks grow more sophisticated, securing the code signing process and enforcing trusted execution policies are no longer optional. With CyberArk’s integrated approach to Endpoint Identity Security and Code Sign Management, organizations can protect their developers, their endpoints, and their customers — without compromising agility.
Andrey Pozhogin is a director of product marketing at CyberArk.