Why Every Organization Needs To Follow Code Signing Best Practices
Read time: 5 minutes
Hardening the security of an organization is extremely important as time goes on, since new techniques for infiltration are discovered often. Attacks can come from several different attack vectors, and one of the more common attacks executed today are code signing attacks. These attacks are exploited from several different means, but there are methods to harden security from these types of attacks. By following code signing best practices, you can harden your organization’s security against these attacks.
Why You Should Follow Code Signing Best Practices
As many organizations know, some of the most prevalent types of attacks today are supply chain attacks. Supply chain attacks are implemented on organizations that interact with a number of smaller organizations daily. What I mean by this is that supply chain attacks focus on organizations that provide software or tools to a number of smaller organizations. This allows threat actors to infect a tool or piece of software provided by a single organization, and in turn infect all the smaller organizations that use that tool. Some examples of supply chain attacks have been seen in recent news, such as the JBS Foods attack as well as the Colonial Pipeline attack.
Many of these supply chain attacks were done due to a lack of code signing best practices being in place. All it takes is a small gap that can be exploited by attackers to infect thousands of customers. Code signing is used as a common attack vector for supply chain attacks because with tools that are distributed to a number of different organizations, they must be updated regularly. These updates, as long as code signing is in place, will be known to be from a trusted source, meaning the organization who created the tool or software. Without code signing, anyone could send along an update to the tool that would then infect each person who used that update, and this is exactly what happened in a number of different supply chain attacks.
Code Signing in the Industry
Though code signing is not a new technology, as companies have used it for many years, there are still gaps found in code signing techniques regularly. Though not related to code signing, recently a flaw was found in the Java coding language, the Log4J vulnerability, which has been in Java code for years. This vulnerability, even though it was only recently discovered, is within the basis of the majority of Java code on the Internet. This recent flaw has sent the majority of the world’s companies into a panic attempting to patch this vulnerability. Many of these organizations will need to harden their security due to this flaw and keep up-to-date on updates from Java when an official patch does come out. This type of vulnerability is why it is so important to keep your systems updated with the best practices for code signing, as a large flaw like this may be found in the future.
Top Code Signing Best Practices
Below are some of the top code signing best practices that any organization can use to harden their existing security system.
- Utilization of Hardware Security Modules : One of the most important code signing best practices to follow is using a Hardware Security Module, or HSM, to protect your private keys used for code signing certificates. Though software-based storage methods exist and are a viable key storage method, HSMs are ultimately a much safer method of private key storage. HSMs use tamper-evident tools to ensure that no one without proper access to the HSM can utilize the keys held within. To access an HSM without the proper permissions, a threat actor would essentially need to steal the HSM from the server rack it is installed on and then physically access the HSM and steal the keys. The strength of the security behind an HSM is why they are recommended so highly for code signing best practices.
- Proper Access Control : Access to keys and HSMs in general must be carefully curated within an environment to ensure that unwanted users cannot use code signing for malicious intent. It must be assured that users within the environment only have access to the code signing processes and tools that they absolutely must have access to to complete their job. This method of access control is known as the Principle of Least Privilege. Least Privilege is commonly followed by most organizations, as it is a great method to control access to keys, files, and data in general within a secure environment.
- Use of a Secure Public Key Infrastructure : Another important part of a strong code signing environment is the use of a strong and trusted Public Key Infrastructure. A Public Key Infrastructure (PKI) uses Certificate Authorities (CAs) to distribute certificates, whether they be for code signing, authentication, or other purposes, to users and devices within an organization. A PKI used by an organization can be external, where a trusted secondary organization manages all the components of the PKI, or it can be internal and run by the organization itself. When using external PKI systems, the primary organization must ensure that it is using a trusted external organization to run it is a secure PKI. If using an internal PKI, organizations should ensure that it is properly setup, with every security detail properly in place. The average internal PKI utilizes a two-tier hierarchy, with an offline Root CA and an online Issuing CA. The Issuing CA is the one which will actually distribute certificates to users and devices within the organization.
- Proper Workflow Management : Another important part of code signing is ensuring that a proper workflow management is in place. Workflow management refers to the idea of having any code signing activity be logged and require approval from a secondary, trusted user. Logging of code signing activity is vital, as when a code signing breach occurs, the organization in question can audit the trail of the breach and ensure that the gap found in the environment is promptly fixed. Approvals are also important, as they ensure that if an insider threat were to attempt to send malware through a properly signed code update, a secondary user would look at the code to be signed and notice that it is not a proper update and stop the signing of that code.
As you can tell, hardening security whenever possible is very important to ensure the continued safety of an organization. Following best practice in all areas of computer security is very important, as a big flaw like the log4j vulnerability could be found at any time by any organization. Another great way to ensure an organization is following best practice is to monitor cybersecurity news and ensure that any patches or new methods of securing systems are updated when necessary. To learn more about how to implement our code signing product, visit our website at www.encryptionconsulting.com.