How do code signing machine identities protect your network?
Tue, 26/04/2022 – 18:28
Code signing is a method of applying a digital signature to software or a digital file so that its authenticity and integrity can be verified during use. Like a wax seal, it ensures that the recipient knows who the author is, and that it has not been tampered with after being signed. In the past, code signing was only used on “final” software executables such as programs, software updates and shell scripts to verify the authenticity and integrity of these by users. final.
However, with the recent wave of software supply chain attacks where hackers insert malware before the final software is signed, code signing is now also used to protect middleware artifacts such as code source, build scripts, software libraries, runtime containers like Docker, and tools that are used by the software team to build their software. When the software is signed with a valid machine identity, such as a passcode Signing certificate and encryption key: Computing devices implicitly trust the software and run it unconditionally. Valid code signing indicates that the code comes from the trusted source that signed it and has not been modified by a third party. When this process is compromised, cybercriminals can misuse the identities of code-signing machines to infiltrate malware that appears to originate from your organization into your software.
What are code signing machine identities?
Code signing ensures that the code of a program or software download has not been corrupted and tampered with after being signed by the publisher/author. Just as you want to be certain when logging into your bank account that you have given your password to the target bank and not to a cybercriminal, it is best to ensure that the programs and updates you download are safe and from genuine publishers. You do this using the same public key infrastructure (PKI) used to secure HTTPS. When these machine identities are used to sign and verify software, it is called code signing.
Code signing is a process by which a software file, such as a program, document, file, driver, firmware, container, mobile application, or even a script, is digitally signed to show that it is comes from an identifiable source and has not been modified since it was signed. Three elements are required in a code signing operation:
- The code being signed
- A code-signing certificate that a certificate authority (CA) has previously issued
- A private code signing key used for encryption
Once the organization has the code signing certificate and private/public PKI key pair, developers can proceed with signing their code. Depending on the specific software development process used by the software team, the process shown in Figure 1-1 can occur hundreds or thousands of times per day. This process varies depending on the types of code signed and how often they are released.
When developers want to sign their code or middleware artifacts, they use the code signing tool provided by their development environment. This tool performs the following steps:
- The tool generates a unique number representing the code being signed (a process called hashing). Any subsequent changes to the code, such as extra space or a removed number, will cause the hash to change.
- Once the hash is generated (step 1), it is encrypted with the private key. This step ensures that no one other than whoever is in possession of the private key can modify the hash that was generated. This process is called signing.
- The signature and code signing certificate are combined with the original code to produce a signed version of the code.
Are your code signing processes secure?
When the identities of code-signing machines are properly protected, they are an effective tool to prevent cybercriminals from such attacks. Unfortunately, too many organizations have outdated and insecure code signing processes. This can make your organization vulnerable to security and brand risks. Additionally, with the explosion of software development within many organizations, traditional information security (InfoSec) teams have no visibility into how development teams actually sign their software, or measures they take to protect the identities of the code signing machine they use.
It’s easy to see why securely managing your private code-signing keys and certificates is essential to maintaining the integrity of your organization’s cybersecurity strategy. Traditional code signing is no longer enough in a world where threat actors are becoming more and more sophisticated in their attacks. You need to protect the identities of your code signing machine, and Venafi can help. With CodeSign Protectyour organization can benefit from fast and secure code signing.
Companies spend billions every year on identity and access management to protect human digital identities, i.e. usernames and passwords. On the other hand, relatively little is spent on managing machine identities, code signing keys, and certificates, even though the entire digital economy relies on access to software and a secure infrastructure. As businesses increasingly transform their operations to digital, a trend known as digital transformation, every business is becoming a software business, and the need to protect this critical infrastructure with machine identity management code signing has become more critical than ever.
*** This is a syndicated blog from the Security Bloggers Network of the Rss blog written by brooke.crothers. Read the original post at: https://www.venafi.com/blog/how-do-code-signing-machine-identities-protect-your-network