Code Signing Is a Valuable Tool — If It’s Secure

This article was originally published by Security Magazine.

Today, just about everything relies on code. Software permeates virtually every aspect of our lives; from the products and machines we use each day to the critical infrastructure that supports society as a whole. It’s difficult to imagine a business, government agency, other entity, or device that doesn’t depend on software in some way.

There was a time when end users could trust the software they downloaded. Unfortunately, that is no longer the case. As hackers and other cybercriminals become increasingly adept at the art of spreading malware, even information technology (IT) professionals find it difficult to know whether the software product they’ve purchased is legitimate. Not to mention automatic software updates by laptops, mobile, and Internet of Things (IoT) devices.

Thanks to the adoption of continuous integration and continuous delivery (CI/CD) and build and test automation tools, application and operations teams are moving faster than ever, which means there are fewer human eyes with a direct line of sight into what’s happening throughout the pipeline. Bad actors have recognized this and look for weaknesses in these fast-moving and complex environments, injecting or modifying malicious code at virtually any point in the software supply chain. This can be anything that goes into or affects code from development, through an organization’s CI/CD pipeline, until it gets deployed into production (i.e. into software dependencies, into an organization’s source code repository or compromising build servers).

This is where code signing comes in.

Code signing is a cryptographic method used by developers to prove that a piece of software is authentic. It protects against altered code and creates a chain of trust. Much like how an SSL certificate serves as a form of authentication to identify a website, a code signing certificate is a special class of digital certificate used by developers to sign applications and software.

A code signing certificate allows any recipient of the software to verify its legitimacy by confirming information such as the name of the company that developed the software — operating much like a driver’s license for the digital world.

Once the software is signed with a code signing certificate, it means that any version of the software that has that valid signature has not been altered by a third party. Confirming that a body of work has not been altered in transit is so important because any alterations to the software code could indicate the presence of malicious activity. The signed code means that what end users see and experience is exactly what the software creator intended.

The trust and integrity of code signing hinge entirely on the security of an organization’s signing keys. In today’s threat environment, the private keys linked to code signing certificates are one of the biggest steals a hacker can make, as getting their hands on this part of the code signing certificate means they can create new software that appears to be legitimate and from a reputable source.

A single breach in this chain of trust can lead to severe damage for a business. The process of quickly revoking and reissuing certificates, notifying affected users and pushing out a newly signed update is expensive. Not to mention, reestablishing trust with users, business partners and investors can be a long and arduous process.

Beyond key theft, other common vulnerabilities include signing breaches and internal misuse. Hackers can get malicious code signed even without stealing the appropriate private keys if they can get into a developer workstation that has open access to the code signing keys. Once that happens, they can simply submit their software for signature and release. Additionally, if a developer has open access to the corresponding code signing key and accidentally misuses or misplaces it, they can create an opening for hackers to infiltrate operations.

Once security teams recognize and understand these vulnerabilities, there are a number of actions they can take to protect against them, creating more trust in the software supply chain.

The most common challenge organizations experience is implementing code signing in a way that effectively meets the needs of both developers and IT security teams. Providing too much access for developers can make the process vulnerable to attack. However, too little access creates friction in the development process, and teams are likely to circumvent security policies. Getting the balance right requires comprehensive protection for private code signing keys, so that they remain in a secure location and can only be accessed by restricted users.

Oftentimes, security teams lack visibility into and control over signing processes. Deploying technology that can centralize visibility and control to make it easy for security teams to audit everything can go a long way toward addressing this challenge. Having the right technology in place can help security teams track and monitor code signing activities, create an audit log for code signing certificates and signing attempts, and centralize and standardize policies for who can sign code.

The best way to ensure developers don’t circumvent security policies or accidentally open them up to risk is to integrate code signing activities into their existing DevOps processes. This should include integrating any signing tools with DevOps tools, enabling remote signing capabilities for distributed teams, and introducing checks and verifications that must happen before any code signing takes place.

Code signing is an ongoing process. Certificates at some point will expire, keys and algorithms might weaken over time, and threats evolve. Keeping close tabs on all code signing activities, auditing all key usage, and covering code signing certificates in any broader PKI certificate management activities will not only help security teams spot threats earlier on, but also ensure that all of the controls that are put in place to protect a code signing certificate are properly maintained over time.

In our software-driven world, trust is everything. Ensuring that an organization’s security and development teams are working together to protect the digital certificates and keys used for code signing is key to ensuring their software remains secure and trusted – making code signing a critical part of a secure software supply chain.