How To Streamline Hardened Code Signing in DevSecOps Pipelines

Walk through the process of hardened code signing and how to streamline its management in DevSecOps pipelines.

Digital certificate management, while promoting cybersecurity, can lead to different issues and frustrations among DevSecOps teams. Managing potentially thousands of digital certificates to secure and support your IT infrastructure can negatively affect the integrity of your application.

The time-consuming process of manually managing digital certificates can result in your team bypassing PKI policies to work more efficiently. In turn, it can lead to unnecessary security risks for your organization.

Streamline Hardened Code Signing in DevSecOps Pipelines

Particularly busy teams may resort to issuing certificates signed by an unverified source or stored in an insecure manner to stay on top of their timeline during the deployment process of their CI/CD (continuous integration and continuous delivery) workflow. After all, a certificate request process can sometimes take several months to complete. The best solution is centralized code signing and certification via cryptographic hardware.

Walk through hardened code signing and dive into deploying code signing among your DevOps and DevSecOps teams. We will also touch upon PKIs and how to manage them via hardware security modules when signing development pipelines.

What is a Hardware Security Module?

A hardware security model, or HSM, is a physical computing device that securely manages, encrypts, and decrypts digital keys and digital signatures via cryptographic functions and other authentication procedures.

They are generally devices that can be plugged into network services or PCs and contain at least one secure cryptoprocessor chip. HSMs can also be part of an organization's Public Key Infrastructure (PKI).

In Continuous Integration/Continuous Delivery (CI/CD) environments, both of which work together to deliver software products faster to consumers, HSMs are a tool used by Issuing Certification Authorities (CAs) to create, secure, and manage pairs.

How can you use hardened code for signing?

Step 1: Have unsigned code prepared for distribution

The code publisher needs to create a private and public key pair.

This first step is mandatory for most runtime applications, including Java, Windows, and Anypoint Enterprise.

Generating the most secure keys possible will require you to use a FIPS 140-2 Level 3 validated HSM.

Step 2: Contact the issuing certificate authority by submitting a public key

Your Certificate Signing Request (CSR) will contain data regarding the published signature algorithm. It will also have a digital signature.

With this information, the issuing certificate authority can sign off on the certificate. In certain application situations, some organizations may act as their own CA.

Step 3: Identify the publisher and authenticate the CSR

Authenticate the CSR by the issuing CA after verifying the identity of the code published. This results in a digital signature from the publisher.

If both the authentication and the identification match, the issuing CA condenses the publisher's identity into a public key and creates the code-signing certificate.

Step 4: Secure and sign

At this stage, it is time to sign the certificate. Depending on the situation, further QA or code testing may be necessary.

Your Public Key Infrastructure (PKI) company policy should require employees to avoid having their code-signing keys stored on local servers, as this could be a huge security concern.

According to a study by Verizon, 35% of data breaches involve internal actors.

Local machines can be hacked into or subject to theft. A vengeful former employee can potentially sign and deploy unauthorized code.

Consider investing in a separate Key Management Server, or KMS, which will secure your certificates with the power of a FIPS 140-2 Level physical boundary.

Ensure KMS has the appropriate cryptographic functions, such as symmetric and asymmetric encryption and hash functions, to automate the code-signing and certificate processes.

Your DevSecOps team will thank you when they can work more efficiently without wasting time manually managing their digital certificates.

Furthermore, your whole company will be more productive as codes and applications can be deployed faster and in compliance with best practices for functionality and security.

Streamline CI/CD Integration

Without the time-consuming procedures that come with traditional continuous integration code builds, DevOps and DevSecOps teams can work on more manual tasks that can't be automated.

Even if your build requires a clear workflow for digital certificates, code signing with integration in CI and CD can offer great perks for your workplace.

Automated code signing can be natively incorporated into the code and deployment workflow, meaning this is one area that your employees won't have to worry about manually managing.

Code-Signing Technology Integration

One of the many benefits of using HSM and KSM within your PKI is that they can easily integrate with the most commonly used code-signing tools, such as SignTool.exe with Microsoft Authenticode, Docker, and Java Jar Signer.

Integrating HSMs in a DevSecOps pipeline will streamline workflows and support other cryptographic operations your organization may use now or in the future.

Conclusion

Digital certificate management can become overwhelming for complex organizations.

To ensure adherence to your PKI policies and promote security and efficiency in your workplace, you should consider using centralized code signing and certification powered by cryptographic hardware.

Hard code must be managed and stored with an HSM to enhance security.