The Ultimate Guide to Code Signing Best Practices

The Ultimate Guide to Code Signing Best Practices

The Top 11 Code Signing Best Practices to Protect Your Customers and Keep Your Software Tamper-Free

Want to protect your home from thieves? A security system is a popular option. However, it’s not very effective if you don’t install it properly, fail to activate it when you aren’t home, or use “123456” as the security code. The same applies to code signing certificates. They’re the best way to protect the integrity of your software and prevent tampering by hostile third parties, but only if code signing best practices are followed. Otherwise, you might as well not even bother.

If you still need convincing, just look at the recent SolarWinds breach. Sloppy code signing practices left the door wide open for hackers, and they were able to inject malicious code into legitimate software updates without anyone noticing. As Mike Nelson, DigiCert’s VP of IoT Security, explains:

“Code signing works. Poorly implemented code signing puts your business at greater risk. In the case of SolarWinds, they were using a code signing certificate to sign the files. The problem wasn’t the code signing certificate, the problem was the way they were practicing code signing.”

Those SolarWinds updates got pushed to nearly 18,000 customers, including Microsoft, Nvidia, Intel, and Cisco, who were suddenly left exposed via a backdoor hidden within the SolarWinds software. It’s nothing new – a similar situation occurred with Asus in 2019 – and attackers will continue to attempt code tampering as long as companies are lax with their processes.

So, what is code signing exactly? Why is it such an important part of the software development cycle? And, most importantly, what are the code signing best practices that your organization should always follow?

Let’s hash it out.

What is Code Signing?

First, let’s take a step back and review what code signing is and how it works. Code signing certificates help to:

  • Protect your code as it’s distributed online
  • Verify that you are the author of the file
  • Signal if the software has been tampered with
  • Provide a permanent, irreversible timestamp that allows for verification after certificate expiration or revocation

Code signing uses public key infrastructure (PKI) to apply a digital signature as proof of legitimacy and integrity. Extended Validation (EV) code signing certificates go a step further. A more vigorous verification process is carried out before certificate issuance, and the certificate itself is stored on a physical USB device as an additional layer of security. EV code signing also gets rid of Microsoft SmartScreen and other browser/operating system (OS) warnings thanks to the higher level of identity verification that’s initially required.

Without code signing, Windows generates the warning message on the left prior to installation. The warning goes away when a signed application is detected, as seen on the right.

Code signing is widely performed across all software platforms, device types, and application categories. In fact, some platforms actually make code signing a requirement for publishing.

Why is Code Signing Important?

Users want to be confident when downloading a file, and if there is any doubt in their mind then they will tend to reject the software altogether. Code signing acts as a sort of “digital shrink wrap” that tells the user that not only is the file coming from a verified source, but also that it hasn’t been tampered with in the meantime.

Code signing provides peace of mind and builds trust with end users, making them much more likely to install your application on their machine. It leads to more downloads, more users, and an improved reputation and brand image.

How Does Code Signing Work?

As we touched on earlier, code signing certificates are similar to other types of digital certificates in that they’re built on PKI. Their implementation and use depends on whether we’re talking about the developer or the consumer. We’ll start with the developer.

Code Signing and Developers

The general code signing process that’s carried out during the software development cycle is typically as follows:

  1. The developer generates a certificate signing request (CSR) and private-public key pair.
  2. The CSR (which includes the public key) is sent to the Certificate Authority (CA), who verifies the identity of the developer and issues the code signing certificate.
  3. The developer hashes their code. This must be performed prior to signing. Basically, a hashing algorithm is used (most commonly SHA-256 nowadays) to convert the code into an arbitrary, fixed value (and is a one-way process). The result of the hashing is called a digest.
  4. The code signing certificate is used to create a signature block. The signature block is attached/included with the software file.
  5. The software has now been code-signed and is ready for distribution.

Code Signing and Consumers

Code signing more straightforward for users. Most operating systems will check for a code signing certificate prior to software installation. When a code signing signature is detected in the application, the OS will:

  1. Verify the legitimacy of the certificate.
  2. Use the public key from the CA to decrypt the digest.
  3. Use the same hash function to generate a new digest from the code.
  4. Compare the new digest with the original that was generated by the developer.
  5. If they match, then it confirms that they code hasn’t been tampered with.
  6. The OS proceeds with installation.

Viewing the properties of a code signing certificate.

The Top 11 Code Signing Best Practices

Now that we know all about how code signing works and why it’s so beneficial, let’s get into the code signing best practices. These should always be used by your organization in order to maximize the effectiveness of your code signing certificates.

1. Limit Key Access

  • Restrict access to private keys based on roles
  • Minimize the number of machines that store code signing keys
  • Minimize the number of staff members that can access the keys
  • Employ physical security controls in order to minimize key access such as key card-protected doors and locked drawers/cabinets
  • Always keep the private key behind lock-and-key

2. Maximize Key Security

  • Protect private keys with secure vaults and Hardware Security Modules (HSMs), which are special cryptographic processors solely designed for safeguarding keys

    An example of a Hardware Security Module (HSM).

  • Key-protection products should be at least FIPS-140 Level 2 certified
  • For transportation of private keys, use hardware that is protected with a strong password of at least 16 characters and contains uppercase and lowercase letters, numbers, and special characters
  • Ensure that private keys are never (for any reason) added to easily accessible places like GitHub, PasteBin, publicly accessible servers, etc.

3. Perform Time-Stamping

  • Time-stamps allow for verification of code even after the original code signing certificate has expired or was revoked
  • Time-stamp certificates can be used to validate for up to 11 years after issuance

4. Use Test-Signing Only When Appropriate

  • Test-signing certificates are either self-signed or come from an internal, private CA and should therefore only be used in a secure test environment
  • Test-signing certificates don’t require the same level of security as production code signing certificates
  • Test-signing certificates cannot chain to the same root as your production certificates
  • The test-signing infrastructure should be completely separate from the production infrastructure

5. Review Code Prior to Signing

  • Code should be thoroughly reviewed and authenticated prior to signing
  • A code signing submission and approval process should be created and used to avoid the signing of unapproved and/or malicious code
  • All code signing activities should be logged in case of future audits or security incidents

6. Scan First

  • It’s important to remember that code signing doesn’t ensure the safety of what’s inside – you can code sign a virus or malware if you really wanted to
  • Be extra careful when incorporating open-source code from external sources
  • Perform virus and malware scanning prior to code signing
  • Malware scanners can’t detect everything, so ensure that each code/component change has been manually vetted

7. Don’t Rely on One Certificate

  • Using multiple certificates helps to distribute risks
  • Multiple certificates can help make it easier to track any issues that may arise

8. Don’t Hesitate to Revoke

  • Any compromised certificates should be immediately revoked and reported to the certificate authority
  • “Compromised” means any suspicion that the private key may have gotten into the hands of an unauthorized user, or that the certificate was used to sign an application containing malware or other malicious code
  • Use time stamps to determine the latest possible revocation date that can be used in order to minimize the impact on safe code

9. Centralize Certificate Management

  • Certificate management platforms, such as DigiCert’s CertCentral or Sectigo Certificate Manager, use automation to simplify the certificate management process, reduce errors, and improve security of keys
  • Continuously monitor the status of your code signing certificates, another area where certificate management platforms help – they give you visibility and can provide alerts for possible issues
  • Regularly audit key usage to ensure policies are accurate

How a user requests a code signing certificate within DigiCert’s CertCentral certificate management platform.

10. Keep Up to Date

  • Stay informed regarding any new cryptographic algorithms or industry practices to ensure you have the best available protection
  • Immediately respond if any new security flaws or vulnerabilities are discovered

11. Create Organizational Policies and Procedures

  • Create a written policy document that everyone in the organization should follow – it should be a “living document” that adapts to any internal or external changes
  • Your code signing policy should address:
    • Who can sign code
    • What code signing tools are approved for use
    • Which kind of certificates are permitted
    • Who is the approver of code signing requests
    • How/where private keys are stored & protected
      • Train your staff on these best practices once per year

      All Signs Point to Best Practices

      As with any security measure, code signing is only as effective as its implementation and use. No company intends to fall victim to software tampering and end up like SolarWinds or Asus, but it only takes one mistake to leave yourself exposed. As Nelson of DigiCert says:

      “For those of you who may be down the road with some of these bad practices — stop. Get control of what you’re doing and minimize the risk for your business. SolarWinds isn’t the only organization with bad code signing practices — let’s use this compromise to improve the way we operate and keep our businesses safe.”

      The human element in the code signing process is most often the weak link, but technical mistakes can doom you as well. By following the best practices that we’ve outlined, you can minimize risk and educate your staff about how to sign code as effectively as possible. That way, you can consistently protect your software, your customers, and the brand that you’ve worked so hard to build.

      Article source : https://www.thesslstore.com/blog/the-ultimate-guide-to-code-signing-best-practices/

Do you needs a dedicated server for hosting your website or application?

Your web site gets thousands of visitors regularly, at that point you ought to think about a dedicated server or you need exclusivity or Security or Company Policy you must certainly go for the dedicated server.

We should audit four reasons you ought to think about deciding for a dedicated server.

  • Your site is developing and should have the option to deal with an expansion in rush hour ?

In the event that you foresee that your site will develop rapidly, it may be a smart thought to select a devoted dedicated server now. For instance, if your site is as yet utilizing shared hosting when your traffic spikes, its presentation could drop altogether. This can be a tricky slant of higher skip rates and loss of income. It’s imperative to give yourself an opportunity to relocate your site and ‘settle’ its exhibition before any potential issues emerge.

As per FXBlog, your webpage ought to be set up to deal with spikes of up to multiple times your typical day by day traffic, to represent advancements and unique occasions. In case you’re not readied, your site could crash or in any case lead to a negative client experience (UX).

  • Security is a top priority for your site

Security is significant for each site, however particularly for those taking care of delicate data. This could incorporate secret messages, credit card numbers, or delicate client data. It’s essential to shield this data and your site from infections, hacks, and different dangers.

With a committed dedicated server, you’re totally accountable for your site’s security. This implies you can improve the highlights you requirement for the particular prerequisites of your site and put away records. Obviously, you’re likewise liable for how these highlights are executed, yet this is one of the advantages of adaptability.

Notwithstanding, a few hosts offer completely oversaw and semi-oversaw support plans. More or less, you can frequently determine what both you and your host will be answerable for, which implies you can confide with a specialist with strategic usefulness while taking care of every single other concern straightforwardly.

  • You’d like your page loading times to be ideal

Your page loading times can significantly affect for all intents and purposes for all parts of your site. Slow pages can prompt low commitment measurements and high ricochet rates. A devoted server can assist you with optimizing this part of your site however much as could be expected.

On a shared hosting server, you won’t have any knowledge of when the server’s assets are being utilized somewhere else, which could make your site run gradually. Choosing a devoted server will promise you to have the transfer speed you have to improve your page stacking times.

  • Having control over your server is critical to you

The last explanation you might need to pick a devoted exclusive dedicated server over different alternatives is a straightforward one: control. We’ve suggested this in past areas, however, committed planning gives you complete obligation over how you decide to utilize your server.

For instance, you’re even allowed to pick the server programming you like. In the event that you favor the asset control of NGINX over Apache, you have the ability to do as such. In addition, you can modify server configuration software details and introduce your own working framework. Along these lines, committed facilitating might be an alluring alternative for cutting edge web designers and those with exceptional and explicit necessities. Choose The Best Plan from Systron – Leaders in Dedicated Server hosting For over two decades.

Which dedicated server is the best for you?

There are several variant of dedicated server available with us and as per your requirements, you should choose a dedicated server setup accordingly.

  • Basic Dedicated Server 

If a client has outgrown from a shared or reseller or VPS hosting account then normally he requires a dedicated server with his basic requirements. In this case client do not require much RAM, Hard Disk and basic Operating System installed on the dedicated server. Their main aim to upgrade to a Dedicated server is to improve the website response time. AMD Servers upto 32 GB RAM are available with us.

  • High-end Dedicated Server

This probably is the next stage of a basic dedicated server hosting package where a client is expecting a good performance of the server as he has understood that his requirements are on a rise now which is then followed by a Quad-Core Configuration. However, different clients have different requirements and setup of the dedicated servers as per their selection is important. In fact, at times there are many pre-requisites that a web server hosting company should take care of. Systron Offers Intel Dedicated Servers with 64 GB Of memory. If you want higher configuration contact sales@systron.net, Servers with memory up to 256 GB RAM can be provisioned within 24 hours of order.

  • Bandwidth Dedicated Server 

This server is required when a client needs to run live Audio/video streaming websites such as you-tube. He will not only need a high-specs server configuration, but also a good amount bandwidth which ranges from basic standard metered bandwidth per month to un-metered bandwidth of 100Mbps or 1Gbps Un-metered Bandwidth because the requirement of Data Transfer is high on these kinds of websites and it should be able to download or upload on the server as fast as possible. Systron offers 10GBps to 100 Gbps Ports for such type of hosting.

  • Database Dedicated Server 

Those who run Databases such as MySQL or MariaDB or PostgreSQL or MS SQL on a dedicated server are known as Database Dedicated Server Hosting. To host database server you will require more resources and higher-end server configurations in order to completely manage dedicated servers. Systron offers various specs according to your need, contact sales@systron.net.

  • Application Dedicated Server

The servers which are utilized to host Applications are known as Application Dedicated Web Servers. The client can host all kinds of legal applications such as live chat software, Flash tutorials, Media file installations, PHP Applications, .NET Applications, Node.js and other frameworks works well with such dedicated servers

  • Server Mirroring Dedicated Server

Many clients require their data mirrored to another server. This is because they do not wish to lose any data at any point in time. Servers are synchronized in order to transfer data from one server to another. RAID Configurations are set up on the same theme as dedicated Server mirroring. The only main difference is that RAID mirrors/strips on Hard Disks and Server Mirroring is the Server concept.

  • Email Hosting Dedicated Server

For securely hosting all your emails on your own dedicated server, you should order a dedicated server preferably with Plesk panel. Systron Technical support will help you set up, SPF records, DKIM and DMARC.  Apart from it bundling this solution with  Spam Filtering and Email Continuity solution would give you robust results.

WordPress best plugin for website security

  • Sucuri

Sucuri is the multi-functioned high profile security plugins which help you to notify the login attempts via email or other means. It helps to detect the malware or any malicious virus codes and clean it on time. It can be scheduled to check your entire website in hours, days or weeks. It provides complete security to WordPress blogs. This plugin usually includes all the security options so you do not have to install any other security plugin, also using too many plugins will slow down your website.

  • Login LockDown

This plugin is used to protect your website from brute force attacks. Brute force attacks usually attempt a thousand times to login to your dashboard using the different password combinations. Once they get the right one, they’ll take it all. Login LockDown

helps your website to limit the login attempts so that you can only login once, twice or thrice. You can set the number of login attempts to be made while logging in. It automatically blocks the IP which will try to fake login more than 2-3 times in the dashboard.

  • WP Security Scan

WP security scan is the free WordPress plugin easily available in the WordPress plugin directory. It helps the user to easily monitor the login attempts via email, password change notifications also helps to optimize the website data. It helps you to change the login form links and other secure area by changing their directory or names. It can be programmed to change the .htaccess and other secure files so that it cannot be shown publicly.

  • Wordfence

The Wordfence WordPress security plugin provides free enterprise-class WordPress security, protecting your website from hacks and malware. It helps to scan the viruses and malware data in your wp directories and files. This is the most popular security plugin for WordPress. Wordfence starts by checking if your site is already infected or not. If it has been infected it scans it and clears all the complications in your blog. It is a free plugin and also has an open-source license. Its features usually include:

      • Blocking Features
      • Login Security
      • Security Scanning
      • WordPress Firewall
      • Monitoring & Caching
      • Compatibility
  • Akismet

Last but not the least plugin which is very very important for every blogging website. The attackers are inventing new techniques daily to hack the growing blogs. This is a web server based plugin for checking the spam comments on your blog. When any hacker post a spam comment on your blog, Akismet
will check and verify that whether it is infected or not. It automatically checks all comments and filters the spam one. Comment hacking was newly discovered in the hacking technique. If someone post that code in your blog and you saw it mistakenly, they will get the .htaccess of your website from which they can easily reveal the Username and Password of your wp-admin dashboard.

Systron Micronix offers SiteLock, cWatch Security Solutions for websites.