Strong code-signing best practices are an invaluable way to build trust in the development process and enable a more secure software supply chain.

Murali Palanisamy, Chief Solutions Officer, AppViewX

March 22, 2024

4 Min Read
Hand signing name on a digital padlock
Source: Andrea Danti via Alamy Stock Photo

COMMENTARY

The recent news that hackers had breached remote access solution company AnyDesk shined a harsh light on the need for companies to take a long, hard look at code-signing practices to help ensure a more secure software supply chain.  

Code signing adds a digital signature to software, firmware, or applications that assures the user code is coming from a trusted source and hasn’t been tampered with since it was last signed. But code signing is only as good as its execution, and inadequate practices can lead to malware injections, tampering with code and software, and impersonation attacks. 

Private keys have to be protected, but many developers (mainly for convenience reasons) maintain their own and store them in their local machines or build servers. This leaves them open to theft and misuse, and creates blind spots for security teams.  

Following the SolarWinds hack in 2020, the Certificate Authority/Browser (CA/B) Forum released a new set of baseline requirements for maintaining code-signing certificates that mandates the use of hardware security modules (HSMs), devices that maintain and secure cryptographic keys, as well as other measures to protect private keys. 

HSMs provide the highest level of security, but they also increase cost, complexity and maintenance demands. Unless they can be integrated into the code-signing tools used by the DevOps team, the disconnect can complicate the code-signing access and slow down the process.  

Migration to the cloud has made security a higher priority, but the cloud also offers a solution to code signing. Cloud code signing and HSMs can provide the speed and agility that developers want, as well as centralized control that supports distributed development teams, integrates into the development processes, and can be more easily monitored by security. 

The Journey to Integrated Code Signing 

With the recent changes from the CA/B Forum, it is time for organizations to embark on a journey to modernize their code signing with centralized control to support development teams. Many companies remain in the "ad hoc" stage, where keys are maintained locally and developers use a variety of code signing processes and tools. Others have centralized control to give security teams visibility and governance by using HSMs to secure keys, but using separate code signing tools still impacts the speed of software development. 

The ideal, mature structure requires an integration of key security, code-signing tools, and development workflows to make the process seamless and streamlined across all builds, containers, artifacts, and executables. Security teams manage the HSMs and gain full visibility into code signing, while developers now have an agile and speedy development pipeline. 

A few best practices can help pave the way in this journey: 

  • Secure your keys: Store code-signing keys in a secure location, such as an HSM that complies with CA/B Forum cryptographic requirements (FIPS 140-2 Level 2 or Common Criteria EAL 4+). HSMs are tamper-resistant, and prevent private keys from being exported.

  • Control access: Minimize the risk of unauthorized access and misuse of private keys by limiting access through role-based access control. Define approval workflows and enforce security policies to regulate access to only the necessary staff, and maintain audit logs that record who triggered the signing request, who accessed the keys, and why. 

  • Rotate keys: If one key is compromised, all the releases signed with it are at risk of compromise. Rotate code-signing keys regularly, and use unique and separate keys for signing different releases across multiple DevOps teams. 

  • Time-stamp code:  Code-signing certificates have limited lifespans — one to three years and shrinking. Time-stamping code while signing it can verify the legitimacy of a signature even after the certificate has expired or been revoked, extending the trust of the signed code and software.

  • Check code integrity: Perform a full code review before signing and releasing the final build by comparing the code in the build server with the source code repository, and verify all developer signatures to make sure they are tamper-free. 

  • Centralize management: Businesses today are global. A centralized code signing process can help monitor signing activities and certificates across the enterprise, regardless of where developers are located. It improves visibility, builds accountability, and eliminates security vulnerabilities.

  • Enforce policies: Standardize the code-signing process by defining and mapping policies, including key usage permissions, approvals, key expiry, CA type, key size, signing algorithm type, and more. Automate policy enforcement to ensure all code, files, and software are signed based on policy and are compliant with industry standards. 

  • Simplify code signing: Integrating and automating code signing with CI/CD tools simplifies the process for DevOps without compromising security while promoting speed and agility.

In a world of continuous integration and continuous deployment, strong code-signing best practices provide an invaluable way to build trust in the development process and enable a more secure software supply chain.

About the Author(s)

Murali Palanisamy

Chief Solutions Officer, AppViewX

As Chief Solutions Officer, Murali Palanisamy is responsible for the overall product vision, development, and technical direction of AppViewX. Before joining the company, he served as senior vice president at Bank of America, where he led an architecture and engineering team for e-commerce application delivery. Prior to that, Murali was vice president of architecture and product engineering at Merrill Lynch. He has designed and developed automation and integration solutions for servers, application delivery controllers, IP services, and networking. Murali is an electronics and communication engineer from Bharathiyar University in India. Currently he is based out of New York.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights