Best Practices for Secure Code Signing

We live in a world that runs on code. Software is everywhere. It’s in your home, your car, your workplace, and virtually anywhere you go – all powered by billions of lines of code.

Secure code signing is the practice of digitally signing a piece of software (or firmware) to ensure that end users can identify its source (the author of the software) and verify that the code hasn’t been altered since it was published.

Most software developers and IoT manufacturers recognize the need for signed applications, but can be challenged by how to implement code signing securely. Signing code without protecting your cryptographic keys and certificates can actually expose you to more risk than no code signing at all.

Why?

Because they are lucrative targets. Attackers seek to compromise these digital certificates and keys to sign and distribute malicious code masked as legitimate software or firmware.

When organizations fail to secure code signing processes, the virtual “keys to their business kingdom” are left vulnerable to attack. The trust and integrity of software hinges entirely on the security of these code signing keys, but keeping them secure is no simple task. Consider:

• Security vs Speed: Security and public key infrastructure (PKI) teams would prefer to isolate and lock down private code signing keys, but developers still need quick access to sign code and push it to production.
• Dispersed Dev: Today’s development teams work across globally dispersed locations. Code signing keys are often left within reach of hackers on developer workstations and build servers.
• No Disruption: In DevOps, frequent incremental software builds are the name of the game. Any changes to the Software Development Lifecycle (SDLC) can introduce risk and delay time to market.

Recent code signing attacks underscore the importance of following best practices to effectively meet the needs of both developers and IT security teams. Whether you consume software or build it, your business must take steps to prevent your keys and certificates from falling into the wrong hands.

Let’s discuss the four best practices your organization can follow to prevent code signing attacks and overcome challenges faced by developers and IT security teams alike.

The burden to sign code often falls on developers – people who specialize in writing code, not ensuring security. As a result, private signing keys wind up in unsecured network locations where they can be extracted by attackers to sell or create code-signed malware.

Start first by finding out how many code signing keys and certificates you have, where they live, and how they are stored. Locate and transfer all private keys into a FIPS 140-2 Level 2 certified hardware security module (HSM) to prevent attackers from gaining physical or logical access.

Tip: Opt for a Cloud HSM service that offers all the benefits of hardware-level security, but without the upfront costs, manual set-up, and ongoing maintenance of dedicated hardware HSMs.

If a hacker breaches your developer network, they don’t necessarily need to steal your keys. By gaining access to a build server or developer workstation with access to code signing infrastructure, hackers can simply submit malware to be signed and distributed without detection.

Ensure that only the right developers can sign the right code with the right key, and at the right time. By enforcing access controls and signing policies, you can ensure that, even if a hacker breaches the network, they cannot compromise your code signing infrastructure.

Tip: Separate roles between those who can submit code to be signed and those who can approve certificate signing requests. Separation of duties can effectively prevent misuse of code signing certificates.

Security is only effective with adoption. Developers must be able to sign any code, from anywhere, without disruption. Otherwise, security gaps will inevitably arise.

Code signing should be a collaborative responsibility between security and development teams to achieve mutual goals to protect keys without disrupting the SDLC. Integrate code signing processes with existing developer tools and workflows.

Tip: Find a solution that allows developers to sign code from anywhere, without having to store code signing keys locally on different workstations, build servers, smartcards, and tokens.

Certificates expire, keys and algorithms weaken over time, and threats continue to evolve. Stay ahead of these risks by continuously monitoring the status of code signing certificates, the strength of algorithms used, and all code signing activities. Regularly log and audit the usage of keys to ensure that nothing is missed.

Tip: Include code signing certificates in your certificate lifecycle management strategy with provisions for how they are requested, issued, renewed, or revoked.

Want to learn more? Download the Definitive Roadmap to Secure Code Signing including detailed information about recent code signing attacks, how they could have been prevented.

Ready to get started? Keyfactor Code Assure is purpose-built to help you tackle your biggest code signing challenges head on.