On June 1, 2023, the Certificate Authority (CA)/Browser Forum’s new code signing baseline requirements came into effect, enforcing changes to the way organizations handle and protect code signing private keys. According to the new mandate, all publicly trusted code signing private keys must be generated and stored in secure hardware crypto modules such as hardware security modules (HSMs) that are at least FIPS 140-2 Level 2 or Common Criteria EAL 4+ and not on local machines. Generating and storing code signing keys in hardware crypto modules and as non-exportable, is a great way of minimizing exposure to code signing private keys.
Private keys are undeniably the most critical part of code signing and must be protected with the highest level of security as mandated by the CA/Browser Forum. However, there are some factors that organizations need to consider to ensure that the code signing process is both secure and efficient from the DevOps view point.
In many cases today, developers manage private keys independently, storing them on local machines and build servers for convenience, not security. Although common, prior to the new industry mandates, this is a high-risk practice that can expose private keys to theft and misuse, causing code signing compromises and data breaches. While storing private keys in HSMs undoubtedly increases key protection and mitigates risks, HSMs can also complicate key access for developers who want speed and agility. Organizations need to figure out how to implement HSMs to securely store code signing keys and simplify developer access to HSM-backed code signing certificates without impacting their speed and productivity.
A good place to start is to understand where your organization currently stands in terms of secure code signing and then implement the steps to evolve and mature your code signing processes so that you’re on par with new security requirements while keeping pace with DevOps speed, agility and efficiency. To get started, we have developed a code signing maturity model that helps you assess your current state of code signing and guides you to move towards mature code signing processes systematically.
The AppViewX Code Signing Maturity Model
You can evaluate your current code signing process maturity based on the three high-level stages below:
1. Ad-hoc: This is the most primitive stage, where organizations rely on ad-hoc and inconsistent code signing processes. As mentioned earlier, private keys are managed by developers, stored on their local machines, or build servers for convenience. The lack of standardized and secure private key storage, coupled with developers’ use of disparate code signing tools leads to discrepancies and risk in the signing process. Further, developers are often forced to sign code outside of their native tool sets, which disrupts their workflows and slows them down.
On the other hand, as modern enterprises have geographically dispersed development teams, including remote, code signing is highly scattered and difficult for security teams to track. There is no centralized certificate management, visibility, or control over who is accessing the private key, where they are stored, or what code was signed – which creates security blind spots and auditing and compliance issues.
2. Centralized: This is a step up from the Ad-hoc stage. Organizations in this stage understand the importance of secure code signing and have slightly more mature code signing processes. Private keys are stored securely in FIPS-compliant HSMs and accessed centrally, which significantly reduces the risk of private key theft or misuse. Security teams have full visibility and centralized control over private key storage, code signing certificate management, and access and usage. They define and enforce policies and workflows to ensure standardization, security, and compliance. Centralized code signing also supports a distributed team of developers enabling a consistent code signing process regardless of where developers are located.
While having a centralized code signing system is undoubtedly better than the ad hoc stage, there are still challenges on the developers’ end that are unaddressed, such as the complexity of signing code directly from native signing tools or within the CI/CD pipeline due to the lack of HSM integration with these signing tools and processes. The lack of code signing integration with DevOps is a major setback, impacting developers’ speed and productivity at this stage.
3. Integrated: This is the most mature of all stages, where code signing is highly secure and works hand in glove with DevOps and CI/CD processes. Organizations in this stage have their code signing processes completely integrated with native signing tools, CI/CD pipeline and workflows to make signing simple, fast, and secure for DevOps teams. The integration ensures seamless compatibility and allows developers to sign all containers, artifacts, and executables right from their native signing tools from anywhere. The integration also allows automatically triggering code signing during the build process, which helps streamline the signing process and ensures consistency and efficiency.
Integrated code signing also simplifies things for security teams. With private keys now stored in HSMs and managed by security teams, centralized code signing helps gain full visibility of all code signing events across the enterprise. Security teams also have policy-based control over who can access and use code signing keys and certificates, which helps simplify audits and ensure continuous compliance. This level of maturity allows organizations to enable high-volume code signing at the speed of DevOps without impacting developer productivity or compromising on security.
The CA/Browser Forum’s mandate promoting stronger private key protection is not just about regulatory compliance. It draws attention to the rapidly evolving threats in the software supply chain landscape and the increasing risk of code signing compromises. It is an opportunity for organizations to identify persistent challenges in code signing, make amends, and implement more mature and secure code signing practices to keep code and the software supply chain protected.
Get Started on Your Code Signing Maturity Journey with AppViewX SIGN+
AppViewX SIGN+ is a fast, reliable, and secure code signing solution built to protect the integrity of code, containers, firmware, and software. With a centralized and integrated approach, AppViewX SIGN+ simplifies code signing for DevOps and streamlines security.
AppViewX SIGN+ seamlessly integrates with native signing tools, CI/CD pipeline and workflows to empower DevOps teams to securely sign code faster and more freely. Security teams can rest assured with full visibility and policy-driven control over private key storage, code signing certificate management, and access and usage.
Learn more about AppViewX SIGN+ and how it can help you build a secure and mature code signing system. Read the AppViewX SIGN+ Solution Brief.