Trust is important in today’s digital world. Software clients require proof that the application they are using is legitimate. Securing and managing code signing certificates allows organizations to validate the software author and prove that the code has not been altered or tampered with after it was originally signed.
Code signing is more critical than ever because cybercriminals are leveraging the extremely complex modern software supply chains, introducing malware strains “upwards” which are then propagated through the supply chain “downwards”. A single infected software component can infect thousands of applications.
“Code signing keys and certificates serve as machine identities to authenticate all kinds of code so when they fall into the hands of attackers, they can be used to inflict enormous damage,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “Secure code signing processes enable apps, updates, and open-source software to run safely, but if they’re not protected attackers can turn them into powerful cyber weapons. Code signing certificate misuse was the key reason Stuxnet and ShadowHammer were so successful.”
Developers must take extreme care in protecting private keys associated with code signing certificates to avoid complications. A streamlined, secure code signing process safeguards your business and provides inherent trust to your software consumers.
The importance of code signing certificates
Code signing certificates are important for all businesses. Organizations are depending on apps to reach their customers and deliver their services and products. Trusted code signing certificates protect businesses from security breaches. These certificates are valuable assets to hackers. Compromising an organization’s code signing certificates allows adversaries to create trusted versions of malware that appear to have been created by a legitimate developer.
Operating systems like Windows warn users if the software or drivers they are using are not properly signed and trusted. Finally, code signing needs to support distributed development teams. Developers are usually dispersed in various locations and they are using signing certificates to authenticate their code. However, poor code signing key and certificate management introduce risks that could result in costly breaches.
Code signing certificates are also used to secure and authenticate the firmware and software used in many IoT ecosystems. For example, in the automotive industry, these certificates are used to cryptographically sign the software communications over the CAN-bus. The famous Jeep Hack changed the firmware on the Jeep’s CAN-bus to take over and remotely control the vehicle in motion.
Code signing keys and certificates are crucial security assets, but unfortunately, organizations are not taking the appropriate steps to protect them. According to a recent Venafi survey among 320 security professionals in the U.S., Canada and Europe, although respondents understand the risks of code signing, they are not taking proper steps to protect this type of machine identities. For example, according to the study, only 28 percent of organizations consistently enforce a defined security process for code signing certificates.
“The reality is that every organization is now in the software development business, from banks to retailers to manufacturers,” says Bocek. “If you’re building code, deploying containers, or running in the cloud, you need to get serious about the security of your code signing processes to protect your business.”
Best practices for securely managing code signing certificates and keys
The biggest issue with code signing is the protection of the private signing key associated with the code signing certificate. If the key is compromised, the certificate loses trust and value, jeopardizing the software that you have already signed. This implies that control measures should be in place to protect code signing keys. The NIST whitepaper, “Security Considerations for Code Signing” outlines multiple control measures that should be taken to secure code signing keys.
Organizations should apply the following best practices to protect the code signing certificates.
1. Centrally secure all code signing private keys
Store private code signing keys in a centralized, encrypted, secure location. Developer’s like for them to be convenient and may have private keys stored on their personal computers, build servers, web servers, sticky notes, etc. Private keys should never leave the secure location, for any reason—even when they are used to sign code. Provide storage options for developers based on the type of code signing certificates that they are using. For example, extended validation (EV) certificates must be stored in a hardware security module (HSM). In addition, some compliance regulations may require that the secure location resides within a certain geographic location. Therefore, you may need to offer multiple secure locations.
2. Control access to code signing certificates and keys
Simply storing a private key in secure storage is insufficient to protect it. Organizations need to define the conditions in which that key is authorized to be used and enforce those conditions. For example, you need to define and enforce:
- Who needs to approve access to the key
- What types of software can be signed with that key
- Which computers can be used to sign with that key
- What code signing tools may be used for signing with that key
3. Define a security policy and enforce it.
While development teams are experts in writing code, they may not have expertise in security. Because of this, the InfoSec team should define policies for code signing certificates, such as which certificate authorities should be used, the encryption strength of keys, etc.
4. Establish global visibility
InfoSec should have visibility into all code signing operations, enterprisewide. To detect risky patterns as well as pass compliance audits, it is important to have visibility into:
- All code that has been signed
- What code signing certificates were used, even if when they come from different certificate authorities, including internal CAs
- Who signed the code, what machine it was signed on, when it was signed, and with which code signing tool
- Who approved the code signing operation
5. Provide an easy-to-use code signing service
Software teams are driven by release schedules. Anything perceived to interfere with their ability to release code is often discarded for something more convenient. Therefore, code signing should be made available to software teams as an easy-to-use, fast, simple service that readily fits into their established software release process. This often means that it needs to have an API so that it can be automated and accessible through scripting.
The Venafi protection
“The only way to protect themselves and their customers is for organizations to have a clear understanding about when code signing is allowed, where it is being used and insight into the integrations between code signing and development build systems,” says Kevin Bocek. “This comprehensive approach is the only way to substantially reduce risk while delivering the speed and innovation that developers and businesses need today.”
Learn how Venafi CodeSign Protect secures your code signing private keys, automates approval workflows, and maintains an irrefutable record of all code signing activities.
- Protecting Your Software Infrastructure in these Uncertain Times
- Study: How Well Are You Protecting Code Signing Certificates?
- The Hidden Dangers of Unsigned Firmware