{"id":14373,"date":"2021-04-06T20:51:40","date_gmt":"2021-04-07T00:51:40","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=14373"},"modified":"2023-01-30T16:47:44","modified_gmt":"2023-01-30T21:47:44","slug":"protecting-your-software-from-cyberattacks-with-code-signing","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/protecting-your-software-from-cyberattacks-with-code-signing\/","title":{"rendered":"Protecting Your Software From Cyberattacks With Code Signing Certificates"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-learn-how-to-keep-your-customers-safe-and-your-software-tamper-free-by-using-code-signing-certificates\">Learn How to Keep Your Customers Safe and Your Software Tamper-Free By Using Code Signing Certificates<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Want to protect your home from thieves? A security system is a popular option. However, it\u2019s not very effective if you don\u2019t install it properly, fail to activate it when you aren\u2019t home, or use \u201c123456\u201d as the security code. The same applies to code signing certificates. They\u2019re the best way to protect the integrity of your software and prevent tampering by hostile third parties, but only if code signing best practices are followed. Otherwise, you might as well not even bother.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;If you still need convincing, just look at the <a href=\"https:\/\/www.thesslstore.com\/blog\/all-you-need-to-know-about-the-solarwinds-hack\/\">recent SolarWinds breach<\/a>. Sloppy code signing practices left the door wide open for hackers, and they were able to inject malicious code into legitimate software updates without anyone noticing. As Mike Nelson, DigiCert\u2019s VP of IoT Security, explains:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Code signing works. Poorly implemented code signing puts your business at greater risk. In the case of SolarWinds, they were using a code signing certificate to sign the files. The problem wasn\u2019t the code signing certificate, the problem was the way they were practicing code signing.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Those SolarWinds updates got pushed to nearly 18,000 customers, including Microsoft, Nvidia, Intel, and Cisco, who were suddenly left exposed via a backdoor hidden within the SolarWinds software. It\u2019s nothing new &#8211; a similar situation <a href=\"https:\/\/www.thesslstore.com\/blog\/code-signing-compromise-installs-backdoors-on-thousands-of-asus-computers\/\">occurred with Asus in 2019<\/a> \u2013 and attackers will continue to attempt code tampering as long as companies are lax with their processes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, what is code signing exactly? Why is it such an important part of the software development cycle? And, most importantly, what are the code signing best practices that your organization should always follow?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-code-signing\">What is Code Signing?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">First, let\u2019s take a step back and review what code signing is and how it works. Code signing certificates help to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protect your code as it\u2019s distributed online<\/li>\n\n\n\n<li>Verify that you are the author of the file<\/li>\n\n\n\n<li>Signal if the software has been tampered with<\/li>\n\n\n\n<li>Provide a permanent, irreversible timestamp that allows for verification after certificate expiration or revocation<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Code signing uses public key infrastructure (PKI) to apply a digital signature as proof of legitimacy and integrity. <a href=\"https:\/\/www.thesslstore.com\/extended-validation-ssl-certificates.aspx\">Extended Validation (EV) code signing certificates<\/a> go a step further. A more vigorous verification process is carried out before certificate issuance, and the certificate itself is stored on a physical USB device as an additional layer of security. EV code signing also gets rid of Microsoft SmartScreen and other browser\/operating system (OS) warnings thanks to the higher level of identity verification that\u2019s initially required.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1007\" height=\"292\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc1.png\" alt=\"windows installation warnings\" class=\"wp-image-14376\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc1.png 1007w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc1-300x87.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc1-768x223.png 768w\" sizes=\"auto, (max-width: 1007px) 100vw, 1007px\" \/><figcaption class=\"wp-element-caption\"><em>Without code signing, Windows generates the warning message on the left prior to installation. The warning goes away when a signed application is detected, as seen on the right.<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Code signing is widely performed across all software platforms, device types, and application categories. In fact, some platforms actually make code signing a requirement for publishing.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-is-code-signing-important\">Why is Code Signing Important?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Users want to be confident when downloading a file, and if there is any doubt in their mind then they will tend to reject the software altogether. Code signing acts as a sort of \u201cdigital shrink wrap\u201d that tells the user that not only is the file coming from a verified source, but also that it hasn\u2019t been tampered with in the meantime.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Code signing provides peace of mind and builds trust with end users, making them much more likely to install your application on their machine. It leads to more downloads, more users, and an improved reputation and brand image.<\/p>\n\n\n<span style=\"--tl-form-height-m:140.469px;--tl-form-height-t:116.8555px;--tl-form-height-d:116.8555px;\" class=\"tl-placeholder-f-type-shortcode_16066 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-does-code-signing-work\">How Does Code Signing Work?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As we touched on earlier, code signing certificates are similar to other types of digital certificates in that they\u2019re built on PKI. Their implementation and use depends on whether we\u2019re talking about the developer or the consumer. We\u2019ll start with the developer.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-code-signing-and-developers\">Code Signing and Developers<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The general code signing process that\u2019s carried out during the software development cycle is typically as follows:<\/p>\n\n\n\n<ol class=\"wp-block-list\" type=\"1\">\n<li>The developer generates a certificate signing request (CSR) and private-public key pair.<\/li>\n\n\n\n<li>The CSR (which includes the public key) is sent to the Certificate Authority (CA), who verifies the identity of the developer and issues the code signing certificate.<\/li>\n\n\n\n<li>The developer hashes their code. This must be performed prior to signing. Basically, <a href=\"https:\/\/www.thesslstore.com\/blog\/difference-sha-1-sha-2-sha-256-hash-algorithms\/\">a hashing algorithm is used<\/a> (most commonly SHA-256 nowadays) to convert the code into an arbitrary, fixed value (and is a one-way process). The result of the hashing is called a digest.<\/li>\n\n\n\n<li>The code signing certificate is used to create a signature block. The signature block is attached\/included with the software file.<\/li>\n\n\n\n<li>The software has now been code-signed and is ready for distribution.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-code-signing-and-consumers\">Code Signing and Consumers<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Code signing more straightforward for users. Most operating systems will check for a code signing certificate prior to software installation. When a code signing signature is detected in the application, the OS will:<\/p>\n\n\n\n<ol class=\"wp-block-list\" type=\"1\">\n<li>Verify the legitimacy of the certificate.<\/li>\n\n\n\n<li>Use the public key from the CA to decrypt the digest.<\/li>\n\n\n\n<li>Use the same hash function to generate a new digest from the code.<\/li>\n\n\n\n<li>Compare the new digest with the original that was generated by the developer.<\/li>\n\n\n\n<li>If they match, then it confirms that they code hasn\u2019t been tampered with.<\/li>\n\n\n\n<li>The OS proceeds with installation.<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"413\" height=\"519\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc2.png\" alt=\"code signing certificate details\" class=\"wp-image-14378\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc2.png 413w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc2-239x300.png 239w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc2-75x94.png 75w\" sizes=\"auto, (max-width: 413px) 100vw, 413px\" \/><figcaption class=\"wp-element-caption\"><em>Viewing the properties of a code signing certificate.<\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-top-11-code-signing-best-practices\">The Top 11 Code Signing Best Practices<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now that we know all about how code signing works and why it\u2019s so beneficial, let\u2019s get into the code signing best practices. These should always be used by your organization in order to maximize the effectiveness of your code signing certificates.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-limit-key-access\">1. Limit Key Access<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restrict access to private keys based on roles<\/li>\n\n\n\n<li>Minimize the number of machines that store code signing keys<\/li>\n\n\n\n<li>Minimize the number of staff members that can access the keys<\/li>\n\n\n\n<li>Employ physical security controls in order to minimize key access such as key card-protected doors and locked drawers\/cabinets<\/li>\n\n\n\n<li>Always keep the private key behind lock-and-key<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-maximize-key-security\">2. Maximize Key Security<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protect private keys with secure vaults and Hardware Security Modules (HSMs), which are special cryptographic processors solely designed for safeguarding keys<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"284\" height=\"178\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc3.jpg\" alt=\"HSM\" class=\"wp-image-14381\"\/><figcaption class=\"wp-element-caption\">An example of a Hardware Security Module (HSM).<\/figcaption><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Key-protection products should be at least FIPS-140 Level 2 certified<\/li>\n\n\n\n<li>For transportation of private keys, use hardware that is protected with a strong password of at least 16 characters and contains uppercase and lowercase letters, numbers, and special characters<\/li>\n\n\n\n<li>Ensure that private keys are never (for any reason) added to easily accessible places like GitHub, PasteBin, publicly accessible servers, etc.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-perform-time-stamping\">3. Perform Time-Stamping<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Time-stamps allow for verification of code even after the original code signing certificate has expired or was revoked<\/li>\n\n\n\n<li>Time-stamp certificates can be used to validate for up to 11 years after issuance<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-use-test-signing-only-when-appropriate\">4. Use Test-Signing Only When Appropriate<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Test-signing certificates are either self-signed or come from an internal, private CA and should therefore only be used in a secure test environment<\/li>\n\n\n\n<li>Test-signing certificates don\u2019t require the same level of security as production code signing certificates<\/li>\n\n\n\n<li>Test-signing certificates cannot chain to the same root as your production certificates<\/li>\n\n\n\n<li>The test-signing infrastructure should be completely separate from the production infrastructure<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-5-review-code-prior-to-signing\">5. Review Code Prior to Signing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Code should be thoroughly reviewed and authenticated prior to signing<\/li>\n\n\n\n<li>A code signing submission and approval process should be created and used to avoid the signing of unapproved and\/or malicious code<\/li>\n\n\n\n<li>All code signing activities should be logged in case of future audits or security incidents<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-6-scan-first\">6. Scan First<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It\u2019s important to remember that code signing doesn\u2019t ensure the safety of what\u2019s inside \u2013 you can code sign a virus or malware if you really wanted to<\/li>\n\n\n\n<li>Be extra careful when incorporating open-source code from external sources<\/li>\n\n\n\n<li>Perform virus and malware scanning prior to code signing<\/li>\n\n\n\n<li>Malware scanners can\u2019t detect everything, so ensure that each code\/component change has been manually vetted<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-7-don-t-rely-on-one-certificate\">7. Don\u2019t Rely on One Certificate<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using multiple certificates helps to distribute risks<\/li>\n\n\n\n<li>Multiple certificates can help make it easier to track any issues that may arise<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-8-don-t-hesitate-to-revoke\">8. Don\u2019t Hesitate to Revoke<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Any compromised certificates should be immediately revoked and reported to the certificate authority<\/li>\n\n\n\n<li>\u201cCompromised\u201d means any suspicion that the private key may have gotten into the hands of an unauthorized user, or that the certificate was used to sign an application containing malware or other malicious code<\/li>\n\n\n\n<li>Use time stamps to determine the latest possible revocation date that can be used in order to minimize the impact on safe code<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-9-centralize-certificate-management\">9. Centralize Certificate Management<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Certificate management platforms, such as <a href=\"https:\/\/www.thesslstore.com\/enterprise\/digicert-certcentral-enterprise.aspx\">DigiCert\u2019s CertCentral<\/a> or <a href=\"https:\/\/sectigostore.com\/enterprise\/sectigo-certificate-manager\">Sectigo Certificate Manager<\/a>, use automation to simplify the certificate management process, reduce errors, and improve security of keys<\/li>\n\n\n\n<li>Continuously monitor the status of your code signing certificates, another area where certificate management platforms help \u2013 they give you visibility and can provide alerts for possible issues<\/li>\n\n\n\n<li>Regularly audit key usage to ensure policies are accurate<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"527\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc6-1024x527.jpg\" alt=\"CertCentral\" class=\"wp-image-14382\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc6-1024x527.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc6-300x154.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc6-768x395.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc6-1536x790.jpg 1536w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/csc6.jpg 1575w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>How a user requests a code signing certificate within DigiCert&#8217;s CertCentral certificate management platform. <\/em><\/figcaption><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"h-10-keep-up-to-date\">10. Keep Up to Date<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stay informed regarding any new cryptographic algorithms or industry practices to ensure you have the best available protection<\/li>\n\n\n\n<li>Immediately respond if any new security flaws or vulnerabilities are discovered<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-11-create-organizational-policies-and-procedures\">11. Create Organizational Policies and Procedures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a written policy document that everyone in the organization should follow \u2013 it should be a &#8220;living document&#8221; that adapts to any internal or external changes<\/li>\n\n\n\n<li>Your code signing policy should address:\n<ul class=\"wp-block-list\">\n<li>Who can sign code<\/li>\n\n\n\n<li>What code signing tools are approved for use<\/li>\n\n\n\n<li>Which kind of certificates are permitted<\/li>\n\n\n\n<li>Who is the approver of code signing requests<\/li>\n\n\n\n<li>How\/where private keys are stored &amp; protected<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Train your staff on these best practices once per year<\/li>\n<\/ul>\n\n\n<span style=\"--tl-form-height-m:886.734px;--tl-form-height-t:807.75px;--tl-form-height-d:807.75px;\" class=\"tl-placeholder-f-type-shortcode_16093 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-all-signs-point-to-best-practices\">All Signs Point to Best Practices<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As with any security measure, code signing is only as effective as its implementation and use. No company intends to fall victim to software tampering and end up like SolarWinds or Asus, but it only takes one mistake to leave yourself exposed. As Nelson of DigiCert says:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">For those of you who may be down the road with some of these bad practices \u2014 stop. Get control of what you\u2019re doing and minimize the risk for your business. SolarWinds isn\u2019t the only organization with bad code signing practices \u2014 let\u2019s use this compromise to improve the way we operate and keep our businesses safe.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">The human element in the code signing process is most often the weak link, but technical mistakes can doom you as well. By following the best practices that we\u2019ve outlined, you can minimize risk and educate your staff about how to sign code as effectively as possible. That way, you can consistently protect your software, your customers, and the brand that you\u2019ve worked so hard to build.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn How to Keep Your Customers Safe and Your Software Tamper-Free By Using Code Signing Certificates Want to protect your home from thieves? A security system is a popular option&#8230;.<\/p>\n","protected":false},"author":37,"featured_media":14374,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[25],"tags":[],"class_list":["post-14373","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ssl-certificates","post-without-tags"],"views":10596,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/04\/bigstock-Code-Html-Php-Web-Programmin-367468945.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/14373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/37"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=14373"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/14373\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/14374"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=14373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=14373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=14373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}