8 Best Practices for Code Signing
Following steps to do things steadily will yield better results than taking a shortcut. Let’s take code signing, for example.
With so many threats facing software development, code signing — when implemented correctly — is an effective way to ensure code is trusted and hasn’t been tampered with. Why would an organization skip the code signing process and put its software and integrity at risk? Organizations may try to speed up the build and deployment stages of CI/CD workflows and shortcut the process. The biggest vulnerabilities with this typically involve private key storage and how code-signing certificates are issued.
Digital certificate management within organizations is often not as buttoned up as it needs to be to achieve airtight security. It’s not always the “scary” stuff, such as malicious developers; it’s often the everyday, unintentional mistakes that trip up organizations. Here are some examples of procedures that can go awry:
- Tracking. Large organizations often struggle to track all of the code signing certificates and distributed code. This can lead to unsafe procedures around private key. management, that can leave the organization vulnerable.
- Siloed teams that manually manage digital certificates. This can lead to teams bypassing PKI standards, even when mandated by the organization.
- Improper key management. If an unauthorized individual were to gain access to an organization’s private key, they could potentially sign malicious software (unintentionally or intentionally), which would be incorrectly verified by their public key and published as trusted code.
- Unsecured certificates. Not properly securing the certificates, not issuing them to the right individuals, not confirming that the individual has the authorization to receive the code-signing certificate, or issuing certificates signed by an untrusted source.
The better an organization does with its key management and code-signing management — whether it’s workflow-based or procedure-based — is critical. Therefore, it makes sense to take every step possible to preserve the integrity of private keys, including storing them on a FIPS 140-2 Level 3-validated hardware security module (HSM).
There are ways to take the appropriate steps to securely sign code digitally, while streamlining the overall process without slowing down the software development process. Here’s how this works:
- Generate public-private key pair. To securely sign an unsigned executable, the code publisher needs to generate a public-private key pair. This is required by most runtime architectures, including Windows, Java, and others.
- Submit public key and Certificate Signing Request (CSR) to an issuing certificate authority (CA). With the key pair generated, the CSR is generated and submitted to an issuing certificate authority (CA). The CSR contains information that identifies the publisher, signature algorithm, as well as the digital signature. This information is used by the issuing CA to issue the code signing certificate.
- Identification of publisher and authentication of CSR. The Issuing CA verifies the code publisher’s identity then authenticates the CSR, ensuring the publisher has digitally signed it. If both identification and authentication are successful, the Issuing CA packages the publisher’s identity with the public key then signs the package creating the code signing certificate.
- Determine the level of security. Now that the code-signing certificate is ready for use, any executable can be signed and deployed unless further code testing or QA needs to occur. Enterprises often find themselves storing their code-signing keys on the code publisher’s local machine or server, an insecure method that can result in significant problems.
By following these best security practices, organizations can minimize risks to code:
- Protect all private keys by storing them within a FIPS 140-2 Level 3-validated HSM.
- Centralize the process to streamline the DevOps and DevSecOps pipelines.
- Implement an approval process to ensure that all code being published is legitimate
- Implement code signing workflow that allows for automation of the process
- Minimize access to the HSM as much as feasible.
- Put processes in place that confirm the identity of the code publisher.
- Separate code to be signed that will be used in production environments.
- Implement a code signing solution that requires the publisher requesting a certificate to provide information about their identity.
Give your organization that extra security boost — and save you from exposure — by taking the steps to implement code signing correctly. Let’s schedule a meeting to walk through how to help maintain your organization’s day-to-day security health and longevity.