The Importance of Code Signing in the Software Supply Chain

Code signing is essential for software supply chains because it offers trust in software updates before the installation and delivers cryptographic assurances using private and public keys.

But is your code trustworthy?      

In today’s world, it is tough to gain trust. So, how do you know the app run by you, the container deployed by you, or the code delivered to your customers is true? How do you know it hasn’t been interrupted?

Well, it narrows down to code signing!

So, here we will discuss the importance of code signing and problems faced in implementing it efficiently.

In today’s time, the software doesn’t work as your storefront. It is the running engine behind all businesses. And, to make the engine run smoothly, you need an oiled machine so that everything made and deployed is trusted.

Code signing works as oiling for the software supply chain. A code signing certificate verifies the source vendor identity and proves that it hasn’t been interrupted since it was published.

Soon, there will be a time when everything will move towards signing- not only the software bought from third parties but also the software built and deployed in your own companies. It includes everything including containers, libraries, scripts, files, etc. However, it is to note that a developer or publisher should buy Code Signing certificate from reliable third party certificate authority (CA) like GlobalSign, Sectigo, Comodo Code Sign certificate. All these CA offer discounted price on code sign cert and a software developer can avail benefit of low price or cheap code signing certificate for software, driver or app.

How does a code sign certificate work?       

The company signs every code with a private key, and the receiver checks the validity through the public key. However, if a cybercriminal accesses the code-signing key, either via burglary or acquiring access to build service, they can inject malware. They require a single signed code piece to access the network, and a wide number can be infected. So, if a company with software updates is vulnerable, all organizations delivering them are too!

To prevent becoming an attacking center for your customers and associates, any business supplying software updates should choose an enhanced approach, i.e., code signing safety. Very often, the code-signing private keys for software updates are handled manually by the development team, proving to be a dangerous procedure. Without central oversight of the usage of keys and poor audits, the software becomes a vulnerable spot.

However, this should change! There should be central visibility for code-signing keys, along with the capability to know who is using them and security policies. Most vendors put the key in a Hardware Security Module or Key Management System to ensure that only authentic code is signed. However, relying on hardware-based safety options has become more challenging than before in today’s time. Having keys with the same number holding the data as in Key Management System is senseless. So, HSM and KMS offer safety against key burglary but not the misuse of the keys.

A hacker doesn’t need to steal the key but obtain one fraudulent signature to deploy malware pretending to be a valid update when attacking.

MPC (Secure Multi-party Computation), a part of cryptography may help. The technology splits a secret key into two or more pieces and positions them on different servers. All the pieces should be obtained to get the information related to the key, but eventually, not all are assembled. Hence, it is difficult for hackers to breach all servers to access the system.

Robust device separation can provide better key protection. It wipes out the one failure point and lowers the threats of insider misuse. Once the key is split further, you can cryptographically impose several checks in the signing cycle and code verification. Hence, the code can only be signed by users after it is checked for malware and other signing policies. For instance, it may define that developers can sign codes just on weekdays. Using MPC validates the policy by several machines, making it tough to bypass.

You can also write quorums so that 4 of 7 teams handling the release should approve before signing. Usually, with MPC, companies set up rigid maker and checker workflows, impose regulations and acquire better protection from attackers looking forward to injecting malicious stuff into the software.

How to safeguard code signing in the software supply chain in summary:

As companies move towards random software updates, distant development teams working, new signing solutions that are highly secure need to be adopted.

It is important to strike the perfect balance between you and your customer’s requirements for clarity, easy usage, and safety. Hence code signing is used. It offers a wide range of benefits:

  • Safeguards private keys in a centralized HSM, either physical or cloud-based.
  • Allows developers to use native equipment and signing approaches on their devices without letting the private keys leave the centralized HSM.
  • Give controlled access to teams.
  • Impose policy limitations for signing depending on users, location, signing methodology, and other aspects.
  • Have an auditing team to detect all code signing activities and the use of keys.
  • Incorporate with build servers to automate code signing.

This showcases the importance of code signing and the best ways to protect it. The rising possibilities of supply chain attacks make it mandatory for companies to closely observe who they purchase the software from. It is suggested to follow a no-trust security policy and impose vendor controls to avoid third-party movement in the networks. Also, go for software vendors offering higher safety guarantees exhibiting they follow advanced measures for detection, retort, and alleviation and install an authentically secure code signing certificate. They should sync with CISO or something similar and assess if the vendor cares about security. Lastly, they should have a well-crafted response plan because attacks are inevitable and can happen anytime.

Eventually, suppose you are supplying or buying software. In that case, companies should consider all supply chain attacks severely, including maintaining a close look at the code signing procedure and how keys are handled and secured. Legacy approaches that avoid key theft solely have proven to be inadequate. Supply chain attacks are costly and cause a lot of damage; hence companies should do all in their potential to manage them well and safeguard the software in every possible way.