Signed, Sealed, Delivered! Code Signing Makes Software Yours
In “Signed, Sealed, Delivered,” Stevie Wonder sings “You’ve got the future in your hand — signed, sealed, delivered, I’m yours.” That is not much different from what happens with software and firmware code signing today. Whether it is a software upgrade for a program, a mobile application, or firmware for a device, code is signed, sealed, and delivered, and you are left with the future in your hands!
Code signing is increasingly common and critically important. It ensures provenance, authenticity, and integrity. However, because it happens in the background – frequently automatically in the middle of the night — you likely don’t even know when it occurs.
The process is analogous to a tamper seal on our medications. We certainly would not take our medicine if the seal on the bottle was broken. So why would we allow our applications and devices to install a software update, if we cannot verify the update’s provenance, authenticity, and integrity?
In this blog, and in one by my PrimeKey cohort Malin Ridelius, we explore the need for trust throughout the software distribution chain. In the following, I focus on how to ensure that software and firmware updates do not become conduits for attacks, as updates become commonplace, and discuss the cryptographic mechanisms that need to be in place to protect underpinning signing keys. Read Malin’s blog “Avoid Managing a Myriad of Code Signing Solutions” to get the complete picture of this important topic.
Why Is Code Signing Important?
Today, more software and firmware is updated more often to support an exponentially increasing set of applications and devices that make up the growing Internet of Things (IoT) ecosystem. Gartner projects over 20.8 billion devices will be connected to the Internet by 20201, and “IoT-based attacks are already a reality. A recent CEB, now Gartner, survey found that nearly 20 percent of organizations observed at least one IoT-based attack in the past three years.” And, “By 2021, regulatory compliance will become the prime influencer for IoT security uptake.”2
Counterfeit code is also on the rise. For example, according to ZDNet, “Security researchers have found that hackers are using code-signing certificates more to make it easier to bypass security appliances and infect their victims.”3 And the SSL Store’s Blog tells us that Chinese hackers used a legitimate company’s compromised digital certificate to sign its driver.4
So in this context, code signing is critical to keep your IoT and the data it generates safe.
1https://esa.un.org/unpd/wpp/Publications/Files/WPP2017_DataBooklet.pdf
2https://www.gartner.com/newsroom/id/3869181
4https://www.thesslstore.com/blog/chinese-malware-compromised-digital-certificate/
The post Signed, Sealed, Delivered! Code Signing Makes Software Yours appeared first on Data Security Blog | Thales eSecurity.
*** This is a Security Bloggers Network syndicated blog from Data Security Blog | Thales eSecurity authored by Juan C. Asenjo. Read the original post at: https://blog.thalesesecurity.com/2018/11/07/signed-sealed-delivered-code-signing-makes-software-yours/
