Rethinking Code Signing: A New Way to Secure the Software Supply Chain – Tech Talks

To stay competitive, companies are increasingly turning to specialized software solutions, gradually transforming their IT ecosystem into a patchwork of different systems from different vendors. Especially when it comes to code signing.

Such disparity poses a potential threat to enterprise data security, increasing the number of trust relationships needed and providing intruders with more potential entry points from which to launch their attacks. The fact that the systems are deeply integrated, to optimize their performance and productivity, further accelerates the propagation speed of attacks.

Nicolas Massé, Solution Architect at Red Hat.

Examples of supply chain attacks that leverage third-party software to infiltrate a business are growing. In 2020, malicious code introduced in a software update SolarWinds first spread to the systems of different branches of the US federal government, before spreading internationally and infecting approximately 18,000 businesses.

In March 2021, more than 20,000 US businesses had their security compromised by a vulnerability in Microsoft Exchange Server software. Risk also often infiltrates the supply chain via partners, generally considered harmless; this was the case during the attack on the supply chain of CodeCov, software intended for developers, which offered hackers the possibility of also taking control of the supply chains of the company’s customers.

Rethinking the signing process

If the risks associated with the software supply chain cannot be ignored, it is equally impossible to give up the advantages of new technologies. A daily dilemma for many companies, faced with which software developers must make a choice between remaining compliant with the highest security standards and betting on more autonomy.

To reconcile these two contradictory approaches, it may be useful to rethink the code signing process. This helps prove that software has not been tampered with or corrupted prior to deployment.

Traditional code signing techniques use cryptographic keys to prove the identity of the author of code or the integrity of the content of a software deliverable. An additional burden for developers who must generate these keys and maintain their security. Faced with this responsibility, some decide not to sign their codes (which is bad for security). Others suggest writing less (which is bad for innovation).

Both of these approaches have a negative impact on other developers. Much of the software used today in the world is designed on open source principles. From now on, the question of provenance is therefore increasingly important. This also applies to proprietary software, which increasingly uses open source code.

Open source must lead the way

In this context, the open source community must lead the way. It should simplify the code signing environment for developers. And this, by replacing permanent keys with ephemeral keys linked to existing identifiers (similar to identifiers of e-mail addresses or social networks). Another way is to produce a public, immutable log that lists all activity. These two types of capabilities combined free developers from the burden of code signing. They can thus devote themselves to what they do best, and strongly secures the system.

TechTalks electronic signature

The software supply chain covers a very broad spectrum of environments. And this, from the developer to the end customer. But also from source code to delivery, through construction, dependencies, assembly, packaging. As connected objects multiply uninterruptedly, the risk to supply chains also increases. To limit the damage as much as possible, an additional effort must be made, in terms of security, to the supply chains.

Open source communities are hard at work addressing this issue. Many projects are emerging and complementing each other. They improve the security of the supply chain as a whole, including sigstore, or even CycloneDX.

This forum was written by Nicolas Massé, Solution Architect at red-hat.

We wish to give thanks to the author of this short article for this incredible content

Rethinking Code Signing: A New Way to Secure the Software Supply Chain – Tech Talks

Check out our social media profiles as well as other pages related to them