JFrog
OUR HISTORY OF SUPPORTING CODE SIGNING FOR DEVICE SOFTWARE SECURITY
With over 20 years of experience and 50 million code signing transactions for billions of connected devices, we have established ourselves as a leader in software security. Our services include software signing, encryption, obfuscation, and "Access Token" features for secure debug interfaces, catering to over 100 device makers, service, and network providers.
We support major chip vendors' bootloader formats, including those from STMicroelectronics, Texas Instruments, Broadcom, Qualcomm, HiSilicon, Xilinx, Maxilinear, MediaTek, and Intel. Our solutions ensure the protection of vendor and product-specific signing/encryption keys using FIPS-140 Hardware Security Modules (HSMs). Additionally, we maintain transaction logs to identify bad actors and malicious activities.
PARTNERSHIP WITH JFROG: TRUSTWORTHINESS-CENTRIC SOFTWARE SUPPY CHAIN SECURITY
Leveraging our established infrastructure and solid track record of success in commercial operations, CommScope has expanded its offerings into the general software supply chain security space.
Our collaboration with JFrog brings together industry-leading solutions to enhance the security and trustworthiness of your software supply chain. Through convenient and easy-to-integrate plugin modules or RESTful APIs, the CommScope PRiSM code signing services can be flexibly invoked at any stage throughout the software supply chain, from development and code repository management to CI-CD pipeline operations, packaging, releasing, distribution, and deployment.
Our specific integration with the JFrog platform, demonstrated in the video included in the Resource section below, is an example of how to seamlessly incorporate CommScope PRiSM code signing services into a typical Jenkins CI/CD pipeline within the JFrog software supply chain ecosystem.
Within the JFrog ecosystem, security measures such as:
- Automated Docker image builds triggered by source control events.
- Security scanning of images through JFrog XRay.
- Conditional actions based on scan results to ensure that only trusted artifacts proceed
are complemented by CommScope PRiSM's signing services. After passing JFrog’s security checks, the CommScope PRiSM API is invoked to sign trusted images, which are then ready for distribution. The JFrog platform also offers optional signature verification, providing end-to-end assurance.
This integration ensures robust security measures, so only signed and verified images are deployed with confidence in their authenticity. For more details, please refer to the video in the Resource section below.
BENEFITS FOR JFROG CUSTOMERS
- Protect your software supply chain from unauthorized access to signing keys and avoid irreversible security risks.
- Enable robust security measures without the need for significant investment in technical expertise or infrastructure to meet industry standards and regulations.
- Provide geographically dispersed product teams with secure, centralized access to keys, with granular permissions and usage tracking.
- Access a pre-integrated solution that simplifies implementation, reducing your development efforts.
- Let us handle the complexity and cost, while you benefit from simplicity, productivity, and enhanced security.
TOP FEATURES OF PRiSM PLATFORM
- Easy on-boarding process for enterprise developers, build engineers, and managers.
- Free online test and evaluation with example test signing and verification key.
- New enterprise, vendor and application specific code signing and encryption support can be added upon request.
- All signing keys are created in a multi-party-controlled event, and hosted online and protected by FIPS-certified HSMs.
- Rigorous and comprehensive procedural security risk management for signing keys, covering on-site and off-site backups, as well as disaster recovery.
- Enterprise-defined permissions and policies for human or machine access, as well as the use of product-specific signing keys and configurations.
Resources
- JFrog swampUP event presentation: Trustworthiness Centric Software Supply Chain Security.pdf
- Whitepaper: CommScope Secure Code Signing Whitepaper.pdf
Contact Us
If you are interested in CommScope’s PRiSM and other services, please fill and submit the following form: