As application teams aggressively shift to DevOps and continuous integration/continuous delivery (CI/CD) practices, code signing has become greatly important in the cybersecurity landscape. If you’re a DevOps professional, you already know that code signing is a time-tested security practice followed to provide customers with proof of code authenticity and integrity.
By definition, code signing is the process of digitally signing software to help consumers verify the identity of the software publisher and confirm that the received software hasn’t been altered since its signing. This provides consumers confidence that code is valid and from a legitimate source.
When code signing is implemented correctly with security best practices, it can be one of the most powerful cybersecurity defenses you can use to fight threats and secure your software supply chain. But when poorly managed, code signing can become a weak link risking your organization’s security and also that of your customers.
Of the many lessons learned from the infamous SolarWinds supply chain attack, the most important was the need to modernize and secure code signing processes. As frequent software updates are part and parcel of application delivery, bad actors are finding new ways of exploiting code signing to execute cyberattacks. From stealing code signing keys to compromising the build server, and injecting malicious code into the source code repository, code signing is being exploited in more ways than we can imagine. It is, therefore, crucial that software publishers follow effective and reliable code signing processes to ensure software and application security.
To help you secure your code signing processes and prevent security compromises, here are some recommended best practices that organizations can follow while implementing code signing.
- Control or restrict access to keys
Private keys are the heart of the code signing process. If these keys are stolen, attackers could easily sign code with injected malware and distribute it as legitimate software. From the application security standpoint, the importance of protecting and controlling the use of code signing keys cannot be overstated.
To ensure your code signing keys are safe, start with limiting access to them. Define approval workflows and enforce security policies to regulate access. Implement role-based access control to provide the right level of access privileges to the right people. Maintain audit logs to record who accessed the keys and why. This helps minimize the risk of unauthorized access and misuse of private keys.
- Rotate keys
Sometimes, organizations tend to use the same key to sign releases across different product lines and businesses. This can be a very bad idea. If the code signing key is compromised, all the releases you have signed with it are at the risk of compromise. Instead, a good practice would be to rotate your keys regularly. Also, use unique and separate keys for signing different releases across multiple DevOps teams. This helps limit the extent of damage a breach can cause in the event of key theft.
- Store keys in a highly secure location
When it comes to key storage, one of the common mistakes that organizations tend to make is storing the keys on a hard drive, developer’s local machine, or build servers. This mistake can open up a huge window of opportunity for attackers to steal your private keys and cause widespread compromises. To avoid this risk, always store your code signing keys in highly secure cryptographic locations, such as within a FIPS 140-2 level 3 hardware security module (HSM). HSMs are tamper-resistant, and breaking into one is extremely difficult. You can rest assured that private keys are never exported, and no unauthorized person can ever access or misuse the code signing keys.
- Time stamp your code while signing
A time stamp is a piece of information included in the digital signature that indicates the date and time the software was signed. Usually, the validity of code signing certificates is up to 3 years. Once the validity period is over, the certificate expires, and the digital signature becomes invalid, raising security warnings. Timestamping was enabled to provide customers with a means to verify the legitimacy of code even after the certificate expires or is revoked. A time stamp tells the customer when the code was signed and if the certificate was valid at the time of signing. Time stamping is an excellent way of extending trust regardless of the certificate validity period and saves money spent on renewing code signing certificates.
- Carry out code integrity checks
Another code signing best practice is checking the integrity of the code before publishing it. Developers must digitally sign any code they check in using their signing key. All developer signatures must be verified to ensure the final code published is tamper-free. As a precautionary measure, the code signing system must perform a full code review by comparing the code it is about to sign on the build server with the source code repository. Only after all these checks are completed should the final build be signed and released. Verifying the integrity of the source code is a critical step that helps ensure that the software update is free from tampering and safe to be used by your customers. Remember, not verifying the code was one of the major slip-ups that caused the SolarWinds breach.
- Establish visibility and centralize management
Typically, organizations manage certificates and keys with manual processes. But, manual processes neither provide complete visibility nor centralized control over certificates and keys. Without a centralized management system, enforcing policies and regulating access to certificates and keys is difficult, as the process involves several distributed teams. Having holistic visibility and a single point of control is critical to monitoring signing activities, building accountability, and eliminating security vulnerabilities in time.
- Simplify code signing for DevOps
DevOps teams are always driven by speed. Anything that slows down application delivery is perceived as a bottleneck. Given the complexity and inefficiency of manual code signing processes, developers often tend to find shortcuts like key sharing, which inevitably introduces security risks. This problem could be effectively addressed with an automated certificate lifecycle management (CLM) solution that can integrate seamlessly with your DevOps toolset. Automation can radically simplify and speed up certificate processes for DevOps with pre-defined self-servicing workflows.
Secure DevOps and Your Software Supply Chain with Trusted Code Signing
Given the immense degree of trust attached to code signing and how it is being exploited in supply chain attacks, securing and well-managing the code signing process must be a priority for all DevOps organizations. Less secure code signing practices can inadvertently expose your customers to cyberattacks and, in turn, severely impact your business reputation. The only way to minimize this risk is to build a robust and secure code signing system that can strengthen your security posture and keep your customers’ businesses safe.
How AppViewX Can Help
AppViewX CERT+ is a next-gen machine identity management platform that enables fast and trusted code signing to create a reliable and secure experience for your customers. You can efficiently manage all your code signing certificates and keys end-to-end from a centralized dashboard and stay on top of vulnerabilities and threats. CERT+ also offers advanced automation capabilities that allow you to fully automate all certificate and key management activities to prevent certificate theft and security issues. Automation also helps you simplify code signing for developers by minimizing manual effort, while maintaining code security.
Interested in learning more? Check out AppViewX code signing.
You can also schedule a free session with our expert today to understand how you can simplify and streamline your code signing system.