{"id":2769,"date":"2024-03-22T09:00:00","date_gmt":"2024-03-22T14:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/cybersecurity-operations\/8-strategies-enhancing-code-signing-security"},"modified":"2024-03-22T09:00:00","modified_gmt":"2024-03-22T14:00:00","slug":"8-strategies-for-enhancing-code-signing-security","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/03\/22\/8-strategies-for-enhancing-code-signing-security\/","title":{"rendered":"8 Strategies for Enhancing Code Signing Security"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

The recent news that hackers had breached remote access solution company <\/span>AnyDesk<\/a><\/span> shined a harsh light on the need for companies to take a long, hard look at code-signing practices to help ensure a more secure software supply chain.  <\/span><\/p>\n

Code signing adds a digital signature to software, firmware, or applications that assures the user code is coming from a trusted source and hasn\u2019t been tampered with since it was last signed. But code signing is only as good as its execution, and inadequate practices can lead to malware injections, tampering with code and software, and impersonation attacks. <\/span><\/p>\n

Private keys have to be protected, but many developers (mainly for convenience reasons) maintain their own and store them in their local machines or build servers. This leaves them open to theft and misuse, and creates blind spots for security teams.  <\/span><\/p>\n

Following the <\/span>SolarWinds hack<\/a><\/span> in 2020, the Certificate Authority\/Browser (CA\/B) Forum released a new set of <\/span>baseline requirements<\/a><\/span> for maintaining code-signing certificates that mandates the use of hardware security modules (HSMs), devices that maintain and secure cryptographic keys, as well as other measures to protect private keys. <\/span><\/p>\n

HSMs provide the highest level of security, but they also increase cost, complexity and maintenance demands. Unless they can be integrated into the code-signing tools used by the DevOps team, the disconnect can complicate the code-signing access and slow down the process.  <\/span><\/p>\n

Migration to the cloud has made security a higher priority, but the cloud also offers a solution to code signing. Cloud code signing and HSMs can provide the speed and agility that developers want, as well as centralized control that supports distributed development teams, integrates into the development processes, and can be more easily monitored by security. <\/span><\/p>\n

The Journey to Integrated Code Signing <\/span><\/h2>\n

With the recent changes from the <\/span>CA\/B Forum<\/a><\/span>, it is time for organizations to embark on a journey to modernize their code signing with centralized control to support development teams. Many companies remain in the “ad hoc” stage, where keys are maintained locally and developers use a variety of code signing processes and tools. Others have centralized control to give security teams visibility and governance by using HSMs to secure keys, but using separate code signing tools still impacts the speed of software development. <\/span><\/p>\n

The ideal, mature structure requires an integration of key security, code-signing tools, and development workflows to make the process seamless and streamlined across all builds, containers, artifacts, and executables. Security teams manage the HSMs and gain full visibility into code signing, while developers now have an agile and speedy development pipeline. <\/span><\/p>\n

A few best practices can help pave the way in this journey: <\/span><\/p>\n

\n