Modernized Code Signing Helps Healthcare Innovator Reduce Risk and Speed Up Development

Summary

A leading healthcare technology provider had long prioritized securing its development environment. Eight years earlier, it had built an in-house code signing solution to support traditional waterfall development. But as the company adopted modern DevOps practices, the legacy tool began to show its limitations. Frequent crashes, key sprawl, and a lack of visibility strained InfoSec teams and disrupted development timelines—prompting a search for a more scalable, integrated solution.

Company profile

This healthcare technology organization develops and supports critical software used across clinical, administrative, and enterprise environments. With a strong focus on automation, compliance, and secure software delivery, the company maintains continuous integration and continuous delivery (CI/CD) pipelines to serve a growing base of healthcare providers and partners.

Challenges

The company faced a critical bottleneck: application developers using Jenkins encountered significant challenges signing JAR files. The legacy, homegrown tool frequently crashed during the transition from continuous integration (CI) to continuous delivery (CD) in the CI/CD pipeline.

What should have been a seamless process often took hours—or even days—causing delays that disrupted development cycles and added stress to teams striving to meet aggressive delivery timelines. Meanwhile, the InfoSec team, already feeling pressure from frustrated development teams, found the homegrown solution failed to provide visibility into the company’s code signing key population, let alone any intelligence into key ownership and usage.

Once a developer was issued an internally trusted code signing key, InfoSec couldn’t track what code was actually being signed with that key. And if that key were stolen, InfoSec wouldn’t know about it until the damage had been done. Both teams agreed: their homegrown tool had run its course. Rebuilding it would be costly and unsustainable. What they needed instead was a purpose-built solution—one that could deliver visibility and control for InfoSec, while accelerating the development process. Fortunately, the CISO knew exactly where to turn.

Solutions

The company already used CyberArk for TLS machine identity security, and the CISO had been impressed by its effectiveness. He invited CyberArk to conduct a proof of concept for Code Sign Manager, bringing in leads from both development and InfoSec to evaluate. CyberArk demonstrated that Code Sign Manager could integrate directly into their existing CI/CD pipeline, allowing developers to continue signing JAR files for their Oracle application with no changes to their workflows.

“This approach seemed almost magical,” the CISO said. “We assumed this particular use case would be hard, if not impossible, to solve—but CyberArk made it easy!” As the CISO put it: “I sensed the same company that eliminated our outage risk could help us with our code signing challenges. I was right.”

Results

With CyberArk Code Sign Manager, the company achieved a transformative shift in its code signing operations:

• Enhanced security: Code signing private keys were centralized and secured in a hardware security module (HSM), monitored and audited by InfoSec for potential misuse. Developers could still sign code locally for debugging, but no longer had direct access to private keys.
• Streamlined workflows: Developers collaborated with InfoSec to design approval workflows and process controls. Code signing keys remained secure, while developers enjoyed frictionless, fast code signing. The solution also allowed for granular access controls, ensuring compliance with corporate security policies and industry regulations.
• Automation and efficiency: Code Sign Manager automated key provisioning and certificate requests, eliminating the need for developers to write custom scripts. Pre-approved processes could be executed automatically, while more sensitive cases required managerial review—enabled by the solution’s strong automation capabilities.
• Developer productivity: Developers appreciated how seamlessly Code Sign Manager integrated with their preferred toolsets, requiring no modifications. The solution accelerated their workflows, allowing them to focus on innovation rather than administrative tasks.

The impact of Code Sign Manager has been so profound that the company’s application developers became internal advocates for the solution, encouraging other teams to adopt it. The InfoSec team is now onboarding additional internal teams, including those working extensively with Windows PowerShell, who are experiencing the same game-changing benefits.

“Code Sign Manager gives my guys the ability to say yes to development teams and help them protect any kind of code without having to do technical somersaults. It’s easily one of the best security solutions I’ve purchased in my 20 years as a CISO.”
-CISO, Healthcare Technology Provider

Key benefits

• Productivity: Developers integrated secure code signing directly into existing CI/CD workflows—without changing tools, writing scripts, or creating delays.
• Control: InfoSec gained visibility into key usage and ownership, with centralized policy enforcement and auditability across teams.
• Seamless integration with existing infrastructure and technology stack.
• Resilience: The solution eliminated a fragile, homegrown tool, replacing it with scalable automation that kept up with the speed of DevOps.