listen to this article:
In today’s modern IT environments, code is distributed in a variety of forms. From standard software packages for Linux, Windows, MacOS and Java, to mobile apps, firmware, virtual machines, containers, and it’s even embedded in Microsoft office documents.
What are the existing approaches for verifying that the deployed code is legitimate so that threats such as supply chain attacks can be mitigated? What are the common practices to make sure that the software was provided from the stated vendor and was not tampered by a malicious adversary and contains malware or any unwanted code?
The method for protecting code is using digital signatures and PKI – specifically using code signing certificates.
How Do We Trust the Code Signing Process?
Upon software deployment, the digital signature of the code signing process is automatically verified, providing assurance that the code was issued by the stated vendor and has not been tampered with since being published.
Secure code signing heavily depends on the protection and access control of the private keys of the code signing certificates – if the code signing certificates are lost, stolen or used without proper authorization – then code signing certificates are essentially worthless.
In this article, we will assess the most common approaches for securing code signing certificates, and explore their strengths and weaknesses.
Best Practices for Securing Code Signing Keys
The first approach is DIY – Build a customized code signing solution the integrates the Continuous Integration/Continues Delivery (CI/CD) tools to it.
The benefit of using a customized solution is that it’s tailored to the organization needs, and supports the programming environments and tools.
However, the DIY solutions are usually focused on functionality and not security – hence they do not provide the required level of assurance to protect the code signing certificates from being stolen or misused.
In addition, these solutions require heavy maintenance, as the development environments constantly changes. In scenarios of M&As this introduces a larger problem as new sites and programming environments are introduced to the organization.
Hardware Security Module (HSM)
Another approach is to use Hardware Security Modules (HSMs) to protect the code signing certificates.
HSM are FIPS 140-2 compliant, and provides the required security requirements for code signing keys protection.
However, HSMs are dedicated hardware appliances, and due to that, they are difficult to deploy and maintain. On cloud environments it’s usually not possible to bring your own HSM, and it’s required to use the cloud provider HSMs. Using different HSMs on-prem and cloud results in multiple, inconsistent manual processes to manage them, as there is no central management. When HSMs are deployed for code signing, usually each team works in an independent and ad hoc manner. This also prevents setting company-wide policies for the code signing certificates.
Furthermore, using HSMs limit the type of artifacts that can be signed, and in many cases, HSM do not support the signing of modern software artifacts.
Third Party Vendors
An additional approach is to use the same HSMs as a root of trust for a 3rd party code signing solutions.
This provides the security assurances due to the usage of HSMs, and also provides central management for the code signing certificates.
However, this approach still depends on physical HSMs that are difficult to deploy and maintain, which causes challenges to deploy the solution on multiple sites and scale.
Such solutions also have limited functionalities, and they don’t allow to scan code prior to signing.
In terms of integration, HSM supports the integration of certain “signer utilities”, but it’s not possible to uploading the file for signing – this limits the types of CI/CD tools that can be used.
Another approach is using a SECaaS-based solution.
Using a SECsolution for code signing is beneficial as it does not require to deploy HSMs or any other backend software, and it provides central management and auditing for the code signing certificates.
On the other hand, it requires to keep the sensitive keys on the SECaaS provider, hence giving up the control of the keys.
The SECaaS providers also have a limited number of artifacts that it can supports for signing. In certain cases, such services requires the code signing certificates to be generated by a certain, specific Certificate Authority (CA), and does not allow to use code signing certificates from any CA.
The SECaaS code signing solution also lacks the ability to scan code for malware before signing.
Filling the Gap in Code Signing Solutions: Security vs Functionality
Based on the most common practices for code signing used today, security professionals are faced with the dilemma of compromising one of two critical solution features: security vs functionality.
To this end, there is a need for a solution that will comprise of several features to eliminate this tradeoff. This solution should:
- Centrally manage all code signing certificates
- Provide a FIPS 140-2 security without requiring dedicated Hardware
- Support signing of any code
- Allow integration with no dependency on the CI/CD platform
- Include additional security layers, such as scan the file for malwares before it is signed, in order to mitigate supply chain attack
- Scale, be easily deployed on multiple sites, and support multiple development teams
- Provide security assurances for code signing key protection and key misuse
- Support modern environment such as containers, and gitlab and provide a secure and automated way to sign code from such services
- Provide a secure and automated way to sign code from such services
- Be agile to quickly address changing security needs
In this article we reviewed various common practices that are being used today to protect code signing certificates.
Approaches such as DIY, HSM and SECaaS provides some benefits but also introduces some vulnerabilities. There is a need for an revolutionary code signing solution that provides central management and auditing, maximum control by securing the keys, and scanning for malware before signing, and allow to seamlessly sign any code from any platform, reaching scale and providing agility.