Recently, there was an announcement from GitHub that urged users of Gitlab to upgrade and fix a critical security flaw that allowed malicious users to run pipeline jobs as a non-authorized user. While the security flaw has been resolved, it serves as a reminder of the ever-present risks of cybercriminals targeting code repositories as a method to conduct supply-chain attacks. Last year, our Venafi research study found that 70% of security leaders reported that software supply chain attacks are one of the biggest security blind spots.
Code repositories have become a focus point for cybercriminals because sometimes they contain more than just code. Valuable passwords, API tokens and credentials are sometimes stored in these repositories, and are easier to access than you might think. This makes these repositories a prime target for cybercriminals to take advantage of.
CIO Study: Software Build Pipelines Attack Surface Expanding | Current Security Controls No Match for Modern Attack Methods
Code repositories: The good and the bad
The use of code repositories has provided immense value to the software development space, and they now serve as an integral part of software development that enables automation, collaboration and change tracking. However, without the proper guard rails in place, using poorly protected code repositories can present risk to the enterprise. Even change tracking, while providing some visibility, does not provide an adequate level of insight for a full audit trail to detect and mitigate risk.
If private repositories are left unsecured bad actors could leverage, for example, key sprawl within the enterprise, to gain access to software and insert malware into source code or steal sensitive information. Open-source repositories present even greater risk, as there is less security around them and there is a potential for outdated or unpatched code to be exploited by cybercriminals to insert malware. This malware can go undetected, which allows it to be published to internal systems, or externally to customers as an update, damaging systems and potentially stealing critical personal information. The risk becomes even greater in the post-quantum cryptography space, as developers are starting to experiment within this arena to prepare for the advent of quantum computers.
We recently saw the widespread repercussions of bad code being deployed and the impact it can have on customers with the CrowdStrike outage. Now, this specific instance was not due to a security or malware attack, but the consequences that impacted millions are similar to the impacts that can occur in a situation where malware is injected into code and released to customers. It also left customers open to risk from bad actors putting out malware masked as a patch installation file. Let’s look at a potential scenario and the risk that it could have to an enterprise if code signing is not utilized in a proper manner.
- Major Enterprise XYZ leaves an s3 bucket open for anyone to access within the enterprise
- Enterprise XYZ does not realize that there are passwords within the code that could potentially get into the wrong hands.
- Bad Actor A is able to gain access to the code with discovered passwords and decides to sneak in malware.
- The malware from Bad Actor A goes unnoticed because the code was signed using the credentials from the stolen account password and gets pushed to Enterprise XYZ’s customer base to download and install as a seemingly normal update.
- The malware was discovered by a customer, but it is too late. Enterprise XYZ now must release a public statement about the breach, pay millions in incident response and deal with the potential damage to their brand image for years to come.
Luckily, there are ways to protect your enterprise against potential risks posed by code repositories. One of which being a strong, secure code signing process.
The value of secure code signing operations
Code signing can help combat unauthorized, malicious code from running by helping to ensure valid code came from a trusted source and has not been altered since being signed. However, the code signing process, including the management of code signing credentials, must be strong and secure for it to effectively prevent the risk of malicious code being executed in their environments. This is because a weak code signing process provides little insight and presents major risks such as key sprawl, opening the risk of bad actors stealing these keys to use and negate the entire code signing process.
It can be challenging to secure code signing operations, internal and external code is being executed throughout the enterprise by developers at a massive scale, sometimes millions of code signing operations need to be executed in just one day. This is an incredibly difficult process to implement at a level that matches the scale of work, and the last thing that any enterprise wants to do is slow down the development and release process. Leveraging the power of automation and key management, it is possible to achieve the balance of secure code signing operations and efficient development times.
With Venafi CodeSign Protect, enterprises can easily gather insights into and tap into the power that comes with being able to automate code signing workflows, while ensuring keys and certificates never leave secure, encrypted storage. Automating code signing workflows, including tasks such as managing signing applications, setting up code signing requests, setting signing rights, and approving or rejecting key use requests, allows for teams to easily define and enforce their code signing policies. It also helps administrators easily set requirements for approvals, checks, and actions before a key can be used to sign, as well as time constraints, which set restrictions on when a key can be used. Working with multiple certificate authorities (CAs), Hardware Security Models (HSMs), development environments and toolsets, enterprises can secure their code signing workflows while reducing the burden on development teams.
CodeSign Protect also offers experimental Post-Quantum Cryptography signatures to help enable customers to test and establish a process for migrating from traditional signatures such as RSA and Elliptic Curve, to Post-Quantum. Being able to start the process of designing a security modernization plan can help enterprises get ahead and be ready for the eventual move to post-quantum.
How secure is your code signing process?
Finally, CodeSign Protect provides an audit trail for visibility into all code signing activity, to help the enterprise stay secure when utilizing code repositories. Information security teams have the data they need to review all code signing processes and can place restrictions where necessary to help prevent malicious code from being executed. Storing private keys in one secure location helps combat key sprawl, and these stored keys do not need to leave the vault when used for code signing operations, ensuring they are protected from potential theft or misuse. We are also excited to announce our upcoming 24.3 release will include a Signing Activity page to provide a convenient way to view, filter through records related to signing operations within the UI, rather than previously accessing these records through API.
Code signing itself provides a level of security when utilizing code repositories but enhancing that security with CodeSign Protect can ensure enterprises utilize these repositories safely.