Your Guide to Secure Code Signing: Four Steps to Get Started

Software now runs the world. Nearly everything we do in our personal and professional lives ties back to software in some way, especially with the rise of more connected Internet of Things (IoT) devices.

Once upon a time, we could simply trust the software that we downloaded, but those days are long behind us. With more software has come more cyber attacks, and this reality makes it essential to verify authenticity before downloading anything.

That’s where code signing comes into play.

But for all its benefits, implementing secure code signing is not without its risks, either. Let’s explore exactly why code signing is so important, common roadblocks, and how to overcome those challenges.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Code signing is a cryptographic method to prove software authenticity. Developers can digitally sign apps, software, or embedded firmware with a private key to prove that the code originates from a trusted, legitimate source and that it hasn’t been tampered with.

Without code signing – or checks within the software download to confirm code signatures – users can open themselves up to serious risk by downloading software from a malicious source.

We’ve seen these risks play out too many times over the past decade, with serious code signing attacks impacting vendors like Adobe in 2012, D-Link in 2015 and 2018, and ASUS via Shadowhammer in 2019.

The importance of implementing secure code signing is clear, as the risks of not doing so are far too high. What’s less clear is how to do so effectively. Some of the most common roadblocks organizations face to implementing effective, secure code signing include:

• Balancing development speed with the necessary security, as code signing processes can slow down development processes if not implemented with efficiency in mind
• Adapting to DevOps workflows to embed the signing process within the existing software development lifecycle

• Supporting dispersed developer teams in a way that keeps code signing certificates accessible without opening them up to hackers
• Protecting certificates from sophisticated attacks, since code signing certificates can fetch a high price tag on underground markets

Despite these roadblocks, it is possible to implement secure code signing practices in your organization. The following four steps have proven effective for organizations of all kinds:

The private keys that developers use to sign code are incredibly important to safeguard since they are what provide the stamp of authenticity to any code. If they fall into the wrong hands, then hackers can use them to sign malicious code that they then distribute to users under the guise of legitimacy.

Too often, teams store these private keys in insecure locations like developer workstations or build servers. To properly safeguard private code signing keys, they should live in a certified hardware security module (HSM). Additionally, your team should keep an inventory of the keys you have and centralize management of those keys to ensure a standardized, highly secure approach.

Safeguarding private keys is the first step, but even with those keys stored in an HSM, determined hackers can find ways to access them. Once a hacker gains access, they can execute a “software supply chain attack” that allows them to submit malware to be signed and distributed. These attacks are exceedingly difficult to detect because they come from the inside.

The best way to secure signing operations is to allow only authorized users to sign and approve code, that way you provide an extra check against anyone who might breach your network. Under this approach, you’ll need to define roles and separate duties for authorized users (which prevents any single user from being able to do too much on their own), introduce and enforce code signing policies, and track signing activities. It’s also helpful to lead separate code signing during the development and testing phases.

DevOps pushes development teams to deliver fast and deliver often, and against this backdrop, any additional steps that can slow down their workflows are typically frowned upon. Over the past several years, this situation has created friction between DevOps and security teams. But the need to integrate security checks – like code signing – into DevOps workflows is only increasing alongside ever-growing threats.

To make code signing as easy as possible for developers and avoid creating friction, you need to balance security requirements to protect private keys with the ability for developers to sign any code without disruption. Some of the best ways to do so include formalizing a code signing process that’s built around the existing software development lifecycle to minimize changes to that workflow, choosing a solution that allows developers to sign code from anywhere, and directly integrating with existing DevOps tools wherever possible.

Once you implement secure code signing practices, your work is far from over. It’s important to regularly monitor and audit compliance with those procedures to ensure teams don’t fall back into old habits. Additionally, certificates will expire, algorithms will weaken, and threats will continue to evolve, which means your security team needs to revisit practices regularly to ensure they stay up to date.

Ongoing management of your code signing practices should cover regular, real-time monitoring of code signing requests, authorizations, and signatures. You should also keep a comprehensive log of who uses code signing keys and follow certificate lifecycle management best practices to issue, renew, and revoke keys as needed.

Code signing is an essential safety check in today’s software-driven world. It allows users to trust that what they’re downloading is from a legitimate source and it enables software providers to maintain trustworthy brand reputations.

But implementing secure code signing practices is easier said than done. With more and more sophisticated threats emerging every day, it’s not as easy as just purchasing a code signing key. Secure code signing requires proper planning and safeguards at every turn, and the four steps outlined here can help you get there.

Interested in learning more about the risks around code signing and how to implement more secure practices? Click here to download our eBook, The Definitive Roadmap to Secure Code Signing: Practical Guidance for Software Developers and IoT Manufacturers.