COMMENT
The recent news that hackers breached the remote access solutions company AnyDesk highlighted the need for companies to carefully analyze their code signing practices to ensure a more secure software supply chain.
Code signing adds a digital signature to software, firmware, or applications that ensures that user code comes from a trusted source and has not been tampered with since it was last signed. But code signing is only as good as code execution, and poor practices can lead to malware injections, code and software tampering, and impersonation attacks.
Private keys need to be protected, but many developers (mostly for convenience reasons) keep their own and store them on their local machines or build servers. This exposes them to theft and abuse and creates blind spots for security teams.
Following the SolarWinds Hacking In 2020, the Certificate Authority/Browser (CA/B) Forum released a new set of basic requirements for maintaining code signing certificates that mandate the use of hardware security modules (HSMs), devices that maintain and protect cryptographic keys, as well as other measures to protect private keys.
HSMs provide the highest level of security, but also increase cost, complexity and maintenance needs. Unless they can be integrated into the code signing tools used by the DevOps team, disconnection can complicate access to code signing and slow down the process.
Migration to the cloud has made security a higher priority, but the cloud also offers a solution for code signing. Cloud code signing and HSMs can provide the speed and agility developers desire, as well as centralized control that supports distributed development teams, integrates into development processes, and can be more easily monitored by security.
The journey to integrated code signing
With recent changes from CA/B Forum, it’s time for organizations to embark on a journey to modernize code signing with centralized control to support development teams. Many companies remain in the “ad hoc” phase, where keys are held locally and developers use a variety of code signing processes and tools. Others have centralized control to provide visibility and governance to security teams using HSMs to protect keys, but using separate code signing tools still impacts the speed of software development.
The ideal, mature framework requires the integration of key security, code signing tools, and development workflows to make the process seamless and optimized across all builds, containers, artifacts, and executables. Security teams manage HSMs and gain full visibility into code signing, while developers now have a fast and agile development pipeline.
Some best practices can help pave the way on this journey:
-
Protect your keys: Store code signing keys in a secure location, such as an HSM that complies with CA/B Forum cryptographic requirements (FIPS 140-2 Level 2 or Common Criteria EAL 4+). HSMs are tamper-resistant and prevent the export of private keys.
-
Access Control: Minimize the risk of unauthorized access and misuse of private keys by limiting access through role-based access control. Define approval workflows and enforce security policies to regulate access to only necessary personnel, and maintain audit logs that record who triggered the signature request, who accessed the keys, and why.
-
Rotate keys: If a key is compromised, all versions signed with it are at risk of being compromised. Rotate code signing keys regularly and use separate, unique keys to sign different versions across multiple DevOps teams.
-
Timestamp code: Code signing certificates have a limited lifespan: one to three years and decreasing. Timestamping code during signing can verify the legitimacy of a signature even after the certificate has expired or been revoked, extending the trust of signed code and software.
-
Verify code integrity: Perform a full code review before signing and releasing the final build by comparing the code on the build server to the source code repository and verify all developer signatures to ensure they have not been tampered with.
-
Centralized management: Companies today are global. A centralized code signing process can help track signing activities and certificates across the enterprise, regardless of where developers are located. Improve visibility, create accountability and eliminate security vulnerabilities.
-
Apply policies: Standardize the code signing process by defining and mapping policies, including key usage permissions, approvals, key expiration, CA type, key size, signing algorithm type, and more. Automate policy enforcement to ensure all code, files, and software are signed to policy and comply with industry standards.
-
Simplify code signing: Integrating and automating code signing with CI/CD tools simplifies the process for DevOps without compromising security, promoting speed and agility.
In a world of continuous integration and continuous delivery, code signing best practices provide a valuable way to build trust in the development process and enable a more secure software supply chain.