Delivering on the Fastsecure Vision with Hardened Code Signing

When Venafi’s CEO, Jeff Hudson, introduced the term fastsecure at the Machine Identity Management Global Summit 2021, there was a lot of head nodding across the team here at Futurex. In many tangible ways, fastsecure is a big part of what we do. To be sure, security is first and foremost, and speed is not far behind. Our hardware security modules (HSMs) meet or exceed the industry’s highest security standards and are a critical element in the fastsecure process.

In the world of machine identity management, fastsecure is focused on bridging the gap between DevOps and InfoSec. DevOps is all about rapid innovation, while InfoSec is about making sure developers don’t skip important security processes in the name of speed. It’s a balancing act and both sides need to be playing along for it to all come together seamlessly.

One area to achieve both goals is finding ways to harden code iterations without creating undue burdens on developers on the DevOps sides. Code signing—when implemented correctly—is an effective way to ensure code is trusted and hasn’t been tampered with. Digitally signing code for firmware, device drivers, applications, operating systems, or mobile applications is a proven and effective method for protecting software. It improves the security of the software supply chain by protecting the code integrity at each step.

In an effort to speed up the build and deployment stages of CI/CD workflows, DevOps teams may take certain shortcuts. To avoid lengthy certificate request processes, developers may be tempted to issue certificates signed by an untrusted source or stored insecurely. These manual, insecure cryptographic practices may be fast, but they are hardly secure and can expose organizations to a high level of risk that is clearly best avoided.

Code signing, and the certificates used in that process, should be centralized and automated using cryptographic hardware. The good news here is that hardened code signing, when managed in conjunction with a FIPS 140-2 Level 3 validated HSM, can be a straightforward four-step process:

1. Generate public-private key pair using an HSM.
2. Submit public key and Certificate Signing Request (CSR) to an issuing certificate authority (CA), either external or internal.
3. Identify publisher and authentication of CSR. The issuing CA packages the publisher's identity with the public key, then signs the package creating the code signing certificate.
4. Put it to use. Now that the code-signing certificate is ready for use, any executable can be signed and deployed unless further code testing or QA needs to occur. For optimal performance and security, store the code-signing certificate in a key management server (KMS) that protects the certificate behind a FIPS 140-2 Level tamper-resistant physical boundary.

The use of a KMS brings a range of other benefits that align with the fastsecure vision. For instance, an advanced KMS can help automate the entire code-signing and certificate management life cycle, remove workflow bottlenecks, and natively integrate with CI/CD systems. Less time generating and managing digital certificates equals faster code deployments—all without sacrificing security.

Making this happen is fast and easy for Venafi customers. That’s because Futurex’s HSMs, KMES Series 3 and Vectera Plus, are fully integrated with Venafi’s Trust Protection Platform (TPP). This integration enables security teams to define X.509 certificate profiles to fit the entire breadth of enterprise needs from mobile devices to ephemeral DevOps containers. And InfoSec and DevOps teams can use Futurex with the Venafi ecosystem from application servers to Application Delivery Controllers (ADC) to secure DevOps processes from initial code-signing through to delivery.

According to a study conducted by Venafi, code signing keys are high-commodity items for cybersecurity hackers to enable security incidents. Venafi offers up these security best practices:

• It is imperative that code signing keys be securely stored, such as in an HSM. Keys should never leave the secured location, even for a code signing operation.
• Storing them securely is no longer enough. A secure code signing process, such as the one provided by Venafi CodeSign Protect, helps to ensure that access to code signing keys is controlled and that proper measures are in place to protect access to the code signing key.
• Organizations need to also secure their software build pipelines. This means that intermediate artifacts used for building software—such as build scripts, source code, third-party libraries, open-source software—should all be signed throughout the software build process.

Code signing done right does increase the amount of digital signing that needs to occur; therefore, it is imperative that there are solutions—such as the one provided by Futurex’s HSMs and Venafi’s CodeSign Protect—that simplify how developers access private code signing keys while also creating a secure process that protects these valuable security assets from hackers.

We’re excited to be working with Venafi to bring the fastsecure vision to life and help our mutual customers securely and safely accelerate innovation.

Related Posts

• Protecting Your Software Infrastructure in these Uncertain Times
• Study: How Well Are You Protecting Code Signing Certificates?
• The Hidden Dangers of Unsigned Firmware