Software programs and apps power millions of daily activities, interactions, and work projects around the globe. With the proliferation of information technology, cyber threats and attacks have risen to unprecedented levels, emphasizing the need to strengthen software security and maintain trust in software providers. This is especially important for software supply chains that involve numerous parties and extremely sensitive data. Code signing plays an important role in establishing and maintaining such trust, assuring developers, contractors, customers, and end users that the software components they are using have not been compromised.
With distributed workforces, online communication and tools, and digital data transmission becoming the norm in software supply chains, the risks and costs of unsigned code are high. Attackers eagerly exploit the vulnerabilities of weak security, misconfigured access, and human error. The consequences of security breaches can be severe. Not only may they grant access to sensitive information to threat actors, but they also result in costly fixes, customer compensation, and damage to the brand reputation, often irreparable. Compromised software erodes the trust in the relationship between the supplier and the consumer. This is precisely what routine code signing seeks to prevent.
The role of code signing certificates
A code signing certificate provides a straightforward way to confirm the authenticity of a software source and verify that its code hasn’t been tampered with or altered by anyone except the code author. Code signing certificates are a special type of digital certificate issued by a certificate authority, or CA, for the specific purpose of signing code to ensure its integrity.
Today, signing a software release with a code signing certificate is non-negotiable if the end product is intended for publishing on any third-party platform or app store. For example, Apple, Microsoft, and Google all require apps to be code-signed before they are approved to be listed for consumers to find. The same holds for software intended for public installations elsewhere. Having a code signing certificate in place not only provides a layer of security and increases customer confidence but also ensures a smooth user experience free of red flags thrown up by browsers, firewalls, and operating systems that may detect unsigned or untimestamped software.
Code signing is imperative for providing secure package distribution in a software supply chain, where the code may potentially go through several iterations before reaching the end-user. A valid code signing certificate must accompany each step and each instance of code alteration to ascertain the changes as genuine. The same is true for over-the-air hardware updates: the Internet of Things (IoT) devices are a clear use case, as it is critically important for IoT security that the device only installs the updates that have been verifiably released by the manufacturer, not by anyone else.
Common pitfalls of code signing certificates
As with any other aspect of public key infrastructure (PKI), the strength of the encryption and the forethought that goes into protecting the private key of the private-public key pair ultimately determine the security of the code signing certificate.
Some of the common pitfalls that may undermine it include:
- Unprotected private keys. Keys stored in unencrypted files or repositories are more vulnerable to theft than keys safeguarded by hardware security modules (HSMs).
- Shared accounts. Misconfigured permissions and access above what’s required open up avenues for unauthorized activities and increase the likelihood of unwanted access.
- Inadequate policy and audit trails. A lack of tools to monitor code signing keys’ activity and logs that detail the actions taken leaves DevOps teams without an adequate way to identify risks and respond to audits, adding to workload and increasing liability.
- Unsigned artifacts in build pipelines. Complex software supply chains operate with hundreds of “moving pieces” of code, updates, releases, and artifacts. It’s nearly impossible to keep track of them all without a system in place. Manual ad-hoc signing may result in code assets being shipped unsigned, opening the door to system flags, approval delays, and attack vulnerabilities.
Secure code signing best practices
To address the pitfalls of common handling of code signing certificates, an organization’s developer team or the DevOps division has several tools at its fingertips to ensure its code signing procedures and policies are up to the requirements imposed by regulators and the current climate of security threats.
Just like any PKI component, the security of the code signing keys is paramount, so a hardware security module (HSM) for key storage is the most secure option. A reputable cloud key management system is a budget alternative for smaller dev teams, but it carries some risk.
Implementing role-based access and approvals is another step to ensure the signing is carried out only by authorized team members within the specified time frames. Limiting or restricting code-signing activities outside of specified windows of time can help further secure the operations, as unusual activity will be easier to detect and block. By the same token, keeping robust logs and monitoring activities in real-time allows the team additional visibility to quickly respond to anomalies, even if they end up being legitimate actions by authorized team members. Singing into the pipeline and logging every code-signing event is one of the best practices for maintaining the integrity of code-signing certificates of an enterprise.
Scaling in DevOps
The complexity of development processes and activities at an enterprise level demands appropriate investments into the infrastructure and tools that allow DevOps teams to scale operations without sacrificing their security. Automation and key management systems are especially important where code signing is concerned. The repeatable nature of the action, coupled with its sensitivity to cyberthreats, demands a balance between ease of execution with minimal roadblocks and a secure, role-based approach to security.
Scaling DevOps teams may consider the following approaches when ramping up operations:
- Integrate code signing activities with continuous software development practices (CI/CD) that speed up code building, testing, and deployment by favoring incremental code changes, utilizing artifact repositories, and enforcing automation of the development pipeline.
- Automate certificate issuance and rotation to lower the burden of manual work and reduce the possibility of human error.
- Prepare for algorithm agility and timestamping policies by only using timestamped code signing certificates. Teams upgrading their PKI infrastructure in line with the principles of crypto agility will inevitably retire old certificates; however, timestamping their code-signing certificates will ensure that the code will still pass the verification checks even after the certificate itself expires, thanks to the timestamp present.
Conclusion
Enterprises should strive to move towards a mature code signing model, whose markers include having a centralized, controlled, and documented system of procedures and policies for signing code. Implementing code-signing best practices, eliminating or limiting manual ad-hoc processes in favor of automation for code-signing certificate management, and increasing security measures for safeguarding code-signing keys are all practical steps an organization’s DevOps team can take today to ensure the safety of its software supply chain.
Investing in all of the above may seem daunting, but the costs of inaction are a lot higher. The protection of customers and end-users, together with brand reputation and the company’s bottom line, is at stake. This is why the appropriate management of code signing certificates, which greatly contributes to code security, is truly a no-brainer.
See also:
