How to secure your software code-signing processes

When the high-profile SolarWinds cyber attack came to light in 2020, it served as a stark reminder of the weaknesses of software supply chains. More than 18,000 of the company’s clients were significantly impacted because its software had become infected with malware.

This type of attack is not new, however the sophistication now in use has grown significantly. For this reason, the tightening of code-signing processes within development teams has never been more important.

The role of code signing

In the SolarWinds attack, the company’s customers trusted that software built by the company would be free of malicious code. They had confidence in the signed software they received, as there was no evidence that tampering had occurred.

While it’s clear that there was no single fix that would have prevented the attack, had a code-signing key been stolen the misuse of those keys could have gone on undetected for much longer. Key protection and access controls are the foundation and are critical to protecting the software pipeline.

Code-signing certificates are machine identities and enable developers to prove that a piece of software is authentic. By digitally signing apps, software, or embedded firmware with a private key, proof is provided to end-users that the code is from a trusted and legitimate source.

However, if code-signing machine identities are poorly protected, there can be significant consequences. The machine identity can be used as a weapon that enables hackers to subvert code signing processes, while appearing to be trustworthy.

A new approach

VIEW ALL

Traditionally, many companies have tended to protect their software build environments by completely sandboxing them and having no external access. Any source code brought in would be carefully scanned to ensure no known vulnerabilities were present. While this sacrificed some convenience and speed, it enabled the best product possible to be developed.

However, due to the speed of developers and digital transformation business timelines, this approach is no longer possible. A new way to check software while also ensuring security must be found.

One approach that can be taken is to lock down the build pipeline and only allow software packages that have been specifically approved for installation. There is no reason a very static list of approved binaries with valid signatures can’t be checked before being allowed to execute.

A second approach is to tighten code-signing procedures to enforce the strict amount of software packages in the workstation and ensure only trusted code is run. Then only software signed by the vendor becomes part of the build system and any malware installed will be unable to run.

Five steps to preventing attacks

While there is no silver bullet that can fully protect against attacks such as that mounted against SolarWinds, there are five key steps that organisations should take. These steps are:

1. Centralise your key protection: By centralising the storage of private keys, an organisation won’t have to worry about unauthorised copies or the locations of signing keys.
2. Limit the number of people who can sign code: Organisations need an approval workflow so they can configure which users are actually authorised to sign code, and on which systems they are approved to request signing operations from centrally stored keys.
3. Introduce a system of approval at time of signing: Once you have approved a user and a system to do signing operations, it is important to monitor what they are actually signing. Organisations must define an approval process that can allow an administrator to inspect the signing request before it is approved.
4. Ensure there is an ability to control signing: All approval and signing operations must be assigned to systems accounts and inspected and scheduled. Automation is required to enable developers to deliver on time while ensuring they have the rules in place to prove they are in control of the entire signing process.
5. Have effective auditing and reporting procedures:
   Being able to audit and prove that policies and best practices are being followed is critical when using code signing in a software-delivery pipeline. Organisations need to keep a record of code-signing operation activity as well as approval operations, so that risk of attacks from cyber criminals can be mitigated.

It’s important for IT teams to constantly monitor and evaluate their security around machine identities. This effort must go above and beyond improving security efforts focused on reducing vulnerabilities in the code.

For risks to be significantly reduced, the entire build process needs to be secured with machine identities. In this way, the chances of cyber criminals gaining access will be reduced along with the risk of costly disruption as the result of an attack.

Tony Hadfield is the senior director of sales engineering at Venafi.