Code signing is a cryptographic technique intended to prove that code flowing into a repository was not altered, and to verify the identity of the signer. However, often the processes and tools being adopted by organizations lack the features to achieve this purpose. This leaves the organization vulnerable to various code signing system threats such as private key theft, as outlined by NIST's Security Considerations for Code Signing.
According to a 2019 study, only an average of 28% of organizations globally have adopted defined cybersecurity processes for code signing at all, despite the fact that most IT professionals understand the risks involved in unsecured code changes.
When attackers breach code signing systems, the consequences can be severe. These attacks are costly to remedy, and in the worst cases, cause irreparable loss of trust in the organization, as the breaches of SolarWinds, NotPetya, and Kaseya show.
Read on to learn about five significant threats to your code signing system, and how organizations can mitigate these risks by making sure every commit is signed by verified corporate identities and devices.
1. Private key theft
Private code signing keys are a juicy target for cybercriminals. Improperly protected keys are dangerous, and incidents of them being stolen are reported with alarming frequency.
Stealing a private code signing key allows attackers to disguise malware or malicious software as authentic code. Worse still, there are limited revocation mechanisms in code signing systems, which makes the threat from stolen private signing keys even worse.
A recent, high-profile example of this risk was the October 2021 breach of a private key for the EU’s Green Pass vaccination passports. Embarrassingly, the hackers created passes for the likes of Mickey Mouse and Spongebob Squarepants, and their success in breaching the system enabled them to sell passes on the black market. The incident also opened up a real risk of existing Green Passes being invalidated, undermining the entire vaccination passport system.
2. Unauthorized code signing certificates
A related risk is the vulnerability often seen when it comes to the private keys of Certificate Authorities (CAs), entities that issue certificates to code signers on condition of the latter complying with their policies and requirements.
Insufficient protection of CA private keys used to issue these certificates, or weak vetting processes used for certificate issuance, can allow cybercriminals to obtain unauthorized code signing certificates.
In 2011, a leading Dutch certificate authority, DigiNotar, experienced a security breach that resulted in code signing certificates being issued fraudulently for the servers of high-profile organizations ranging from Microsoft to the CIA.
The incident gained international attention due to the breach of the personal data of 300,000 Iranian Gmail users, and it ultimately forced browsers and CAs to implement new protocols to allow them to detect cyberattacks more quickly. However, vulnerabilities remain in the CA infrastructure, and breaches have continued to occur since DigiNotar.
3. Misplaced trust in certificates or keys
Code signing verification tends to be handled by experts who know there is no such thing as being too careful when it comes to cybersecurity. However, an inexperienced verifier could inadvertently use unsuitable or untrustworthy keys and certificates for code signing.
Using untrustworthy or insecure keys and certificates makes your organization vulnerable to dangerous cyberattacks; furthermore, verifiers may be able to allow users to extend trust to such certificates, opening them up to risk.
4. Unauthorized or malicious code being signed
Wrongly or accidentally signing off code that is unauthorized or, worse still, malicious is a serious risk. Without the proper code signing procedures, anything from a genuine mistake to an insider attack, bad governance controls, or an intrusion into development systems can lead to malicious code being signed.
The 2020 SolarWinds cyberattack is an example of this. Orion, the network monitoring product used by SolarWinds, was compromised partly due to a weak password—“solarwinds123.” The password breach allowed the attackers to conceal malware in code without the developers noticing, leading to malicious software subsequently being signed.
The attackers gained access to emails and other sensitive information from some of the biggest public and private organizations in the US, and the breach cost the approximately 18,000 affected organizations an average of $12 million.
5. Weak cryptography
The use of cryptographic algorithms or weak or insecure key generation methods opens the door for cybercriminals, making it easier for them to carry out successful cryptanalytic or brute force attacks.
The methods used by attackers are constantly becoming more sophisticated, meaning that future developments—for example, new cryptanalysis—ends up becoming insecure.
Beyond Identity: a secure code signing solution
Traditional code signing methods are vulnerable to breaches, with it often only taking one small hole in your defenses to fall prey to a cyberattack.
Beyond Identity’s Secure DevOps mitigates these risks by cryptographically binding identities to devices in order to verify users. Beyond Identity’s software signs every code commit and only allows validated committers, using GPG keys tied to their corporate identity and to their authorized devices, to commit code.
Without Beyond Identity, users can spoof admins and developers on Git, as without personal Git accounts being tied to a corporate identity, it is difficult to know for certain that someone is an authorized developer. They can also sign the author field of a commit with whatever name they like, making the author untraceable.
Beyond Identity solves this problem of code signing verification by ensuring that the authorship of the code is unambiguous, improving security and trust in the development process. This is achieved by the author verification API checking the key that signed the commit is tied to a corporate identity using the Beyond Identity Authenticator on the authorized device.
If you’d like to see how Beyond Identity could bring secure authentication to your organization, book a demo today.