Code Signing: What is it and why is it so Important?

Most organisations understand the importance of code signing. Even so many companies struggle to put it into effect. So, what is it and how can IoT companies up their game?

Today's world is run by code. Software permeates almost every part of our lives. As the Internet of Things expands, software is becoming ever more embedded into the fabric of business, life and society.

As it does, so does the threat. Hackers have become more adept at hijacking software to launch attacks against all sorts of organisations. As such, Internet of Things providers, need to be on top of code signing.

The concept of code signing is a cryptographic approach used by developers to prove the authentication of software. Digitally signing apps, software or firmware provides a guarantee that its origin is safe.

Code signing is a software development process of digitally signing executable code to prove the identity of the software author. It guarantees that the code has not altered or corrupted since it was published. Both these points are extremely important for building trust with customers and safely distributing software.

However, although companies increasing see it as vital, they don't always get it right. When they fail the consequences can be serious. For example, according to many analysts failures in code signing procedures actually contribute to attacks. Take the SolarWinds Orion App hack as a case in point.

Hackers monitored and hijacked the build processes of the SolarWindsOrion App. At the point of compilation, it replaced source code content with a version which contained malware. SolarWinds, then signed the resulting executable allowing the malware to infiltrate thousands of government and private networks.

Although they had code signing in place, there appear to have been failings in the in-enterprise supply chain. Bad code was injected before the source code was read by the compiler. If the signing system does not know what it's supposed to be signing, the entire code signing process can be compromised.

This attack illustrates the growing sophistication of hackers and the increasingly insecure nature of the digital environment. In a world in which the costs of cyber crime are rising exponentially, people are becoming increasingly wary of downloading anything from the internet.

This creates a challenge for Internet of Things providers. They need their customers to trust their downloads. If, as in the case of SolarWinds, your software carries a bug past their defences, your customers are unlikely to trust you again.

Code signing, therefore, is becoming an increasingly important battle ground in the fight between IoT providers and cyber criminals. The former are using code signings to authenticate their downloads, while the latter have turned their attention on the code signing process.

Reports suggest22 millioncode signing keys were stolen or forged from legitimate businesses in 2020. This is a particularly malicious approach as it undermines the very principle of trust which code signing is supposed to install.

Once again it takes us back to a world in which, even if software is code signed, nobody can trust it.

For businesses, therefore, it is crucial to ensure watertight code signing processes and ensure best practices across an organisation.

Possible steps might include:

• Limited access to code signing keys.
• Required approval for the use of code signing keys.
• Keep code signing keys securely.

However, this can slow down the process of updates which can frustrate developers, especially if code signing tools are not integrated with the development process. This can lead to weaknesses which can be exploited by hackers.

It is crucial therefore to ensure best practice and to integrate all parts of the development process. By doing so, your company can reduce risks of seeing a code signing key stolen or a piece of malicious code creeping into the process before it's signed.

However, one of our investments, Device Authority has a proven approach to ensure the safe provision of code signing. Through the seamless integration betweenVenafi CodeSign Protect and Device Authority KeyScaler the solution allows you to secure your code signing and update delivery process for IoT devices and deliver critical requirements for IoT environments:

• Access to secure updates is restricted to authorised devices
• Updates are also specifically encrypted for target devices and are not exposed as unprotected software or firmware downloads
• Secure updates ensure that both the update source and the integrity of the updates themselves are verified, delivering end-to-end protection for device updates
• Policy driven processes deliver scaler through automation
• Native integration rapidly reduces time needed to implement a secure update process for IoT

The landscape is moving quickly. Technology evolves on both sides of the fight against cybercrime. As such companies will need to constantly update defences to ensure they can counter the latest threats and harness the most sophisticated security solutions to protect their brand equity.