Last week, we discussed 5 things that might indicate that your company has a code signing problem. Remember, the problem isn’t with the code signing operation itself. Signing code is a well-recognized security best practice. But the way that you do it can make all the difference in the success of your code signing efforts. What you need to look at is how your company secures machine identities throughout your code signing process.
In this week’s blog, let’s take a look at 5 best practices that can help your company get your code signing problem under control.
1. Establishing Global Visibility
The first step in securing the code signing process is for your InfoSec team to establish complete visibility across the enterprise for all code signing activities. You need to know critical information, such as:
- Which code is being signed, no matter whether it is for internal only or external use
- Which code signing certificates are being used, regardless of the certificate authority they come from, including internally generated certificates
- Who signed code, which machine it was signed on, when it was signed, and which code signing tool was used
- Who, if anyone, approved the code signing operation
2. Centrally Securing all Code Signing Private Keys
The next step in establishing a secure code signing process is to move private code signing keys off of all developers’ computers, build servers, web servers, sticky notes, etc. Private keys should be stored in an encrypted, secure and centralized location. Private keys should never leave this location for any reason. You need to customize storage options for developers based on the type of code signing certificates that they are using. For example, extended validation (EV) certificates must be stored in a hardware security module (HSM). In addition, some compliance regulations may require that the secure storage reside within a certain location. Therefore, you may need to offer multiple secure locations.
3. Defining and Enforcing Policy with Automation
One of the reasons that development teams resist corporate security policies is that the policies are often built around manual processes. This is particularly counter-intuitive for DevOps teams that are developing at speed and scale. Manual processes simply don’t match the requirements of their projects. Because of this, you should provide a code signing platform that allows every development team to define their own code signing policies and workflows, such as:
- Who is authorized to sign code
- What code signing tools are authorized to be used
- Which types of certificates are allowed
- Who must approve (based on certificate type or phase of software development)
That platform should also be able to automatically enforce those defined policies through workflow automation. Integrating with third-party code signing tools that developers already use helps ensure easy adoption. You will want to pay particular attention to integrating with corporate platforms such as active directory, ticketing systems, and other SIEM tools.
4. Being a Hero, Not an Obstacle
In many cases, managing their own code signing infrastructure, requests for code signing certificates, renewals and more is a burden for your software development teams. You will help them achieve more secure software delivery if you are able to replace this burden with an automated, flexible platform that supports their unique needs. Furthermore, your developers will require a solution that does not add additional burden like rewriting build scripts, installing memory-resident programs, learning new tools, or slowing down their automated build processes by requiring code be offloaded to a central server for signing.
5. Showing Compliance—Always
Your function is to secure your company’s information, including code signing credentials. A part of the success of this effort will be showing that you are effectively achieving the end goal. It’s important that you can demonstrate that you have a secured code signing process across the entire enterprise. By having an irrefutable record of all code signing operations—such as knowing where all private keys are stored and knowing that policies are always enforced—helps you ensure compliance.
Are you following these best practices for your code signing process?