listen to this article:
Our recent blog on the best practices for code signing illustrates the evident tradeoff between security and functionality amongst the different approaches most commonly used by organizations. However, with the ever growing need to defend against software supply chain attacks, security leaders should consider advancing their security strategy to include a solution that coexists with their existing cryptographic infrastructure and mitigates risk.
Designing An Advanced Secure Code Signing Solution
The ability to securely sign code is an essential part of almost every aspect of our work (and even home lives) today. From traditional software updates, application updates – even planes, trains and modern automobiles – rely on enabled updates that happen with minor authorization and trust. Designing for an alternative begins with understanding the landscape – or more importantly your cryptographic infrastructure, policy and the gaps that may exist. Let’s look at some of the key criteria that should be considered to ensure greater security and control over all your code signing keys.
Whether it’s to enforce policy, address fragmentation of your infrastructure or to put tighter controls on our key – centralized management of your cryptographic infrastructure should be top of mind. Centralized management offers development teams a single pane of glass to manage the code signing certificates of your organization. In addition, it provides a unified way for provisioning new teams, execute certificate life cycle operations, set and enforce policies, as well as monitor auditing events.
FIPS 140-2 Certified
The National Institute of Standards and Technology (NIST) issued the Federal Information Processing Standard Publication 140-2: A US government computer security standard used to approve cryptographic modules. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. In our case, the private keys of the code signing certificates. This standard specifies the security requirements that will be satisfied by a cryptographic module.
In today’s environments where everything is virtualized and much is remote, and enterprises are moving more and more to hybrid and multi-cloud deployments, pure hardware solutions such as HSMs constitute a significant obstacle. As a result, software solutions for key protection with strong guarantees are needed to replace and complement existing hardware solutions.
Integrating the CI/CD pipelines with the code signing solution should be seamless as possible. There is a need for a solution that can provide flexible integrations, including a zero-footprint method to make the integration quicker and increase the overall adoption time of the code signing solution within the organization.
Scan Before Sign
Scanning artifacts by the code signing solution right before they are signed, adds a very strong security layer as it prevents malwares from being added to the artifacts as part of the CI/CD pipeline. The solution should provide such capabilities while allowing the organization to choose the scanning engines of their choice.
Scalability & Cloud Agnostic
The code signing solution needs to have the ability to scale, support a high amount of code signings operations per second, and provide code signing services for development teams in various regions, whether the regions are connected to other sites or the internet or not. An ability to deploy the solution on any cloud service provider would allow a local code signing service which increases availability and throughout.
Security Assurance for Theft and Misuse
Legacy key protection solutions address the problem protecting the private key of the code signing certificate from being stolen. There is no doubt that the security risk due to cryptographic key theft is the greatest. However, there is a need to add additional layers of protection against code signing certificate misuse — where an attacker breaches a machine that is authorized to carry out operation – to support a zero trust model. A strong code signing solution would address the key misuse threat by ensuring that only legitimate operations are allowed.
Modern Environment Support
Today’s modern environment consists of new artifacts that are deployed/executed. In today’s environments, there are many CI/CD platforms that are provided by PaaS or SaaS providers. A couple of examples are running prebuilt containers images or prebuilt virtual machines and using a SaaS provider for CI/CD like Gitlab. The modern code signing solution needs the ability to sign such artifacts and allow integrations with such SaaS providers.
It is crucial that code signing solution would be agile and evolve with the ever-growing enterprise needs. There is a need for a solution that constantly adds support for (1) new artifacts, (2) new CI/CD tools – whether on-prem or on the cloud, (3) new cryptographic algorithms such as post quantum crypto; (4) new functionalities such as scan-before-sign. A software only solution has an advantage in this sense as it is easier to deliver and upgrade.
The Future for Protecting Code Signing Keys
In conclusion, the road to a trusted and secure code signing policy is heavy reliant on the adoption of modern IT in practice and in investment. Modern IT in practice will provide the rigorous security checks and an investment in Modern IT offers your development the crypto agility and single pane of glass view and controls required to ensure maximum protection and buoyancy.