Code Signing in the Age of Cloud and IoT

Written by

Code signing protects companies. In addition, it protects their partners, their users, and their consumers from evolving digital threats. 

The risks associated with software tampering are many, varied and growing as business and consumers embrace IoT and the cloud. In order to establish trust and reliance in a software-dominated world, organizations and the services they offer require a watertight code-authentication process.

Code signing is, primarily, a method of proving the origin and integrity of a file. The process entails digitally signing executables and scripts to confirm the software’s author and guarantee that the code has not been altered or corrupted since it was signed. It validates authentication of new code, as well ensuring that the origin of the code is from a legitimate provider.

When done right, code signing is one of the most potent weapons the cyber-security industry has at its disposal to mitigate risks, preventing them from taking hold before they happen. 

It is little wonder therefore that organizations around the world are increasingly turning to code signing as a best practice approach to protect businesses and their brands from the perils of infected software. 

Many of the major players in the tech industry have been vocal supporters of the implementation of code signing for many years, and the likes of Microsoft, Apple and Google continue to push companies towards the adoption of stronger and more robust code signing methods, especially as almost every new electronic device is connected to the Internet. Devices as varied as smart TVs, game consoles, and fitness trackers all leverage code signing as a best practice to ensure the authenticity of new software before it is used by a device.

By implementing code-signing policies, these companies are protecting software from being corrupted and bringing appropriate governance to software-publishing practices. 

What does this mean for the IoT? 
With organizations just beginning to discover both the benefit and the opportunities provided by the Internet of Things (IoT), we have already witnessed the proliferation connected devices to offer valuable functionality to deliver new revenue streams and cost savings. 

Despite the benefits however, the security risks of the IoT and the dangers associated with the wide-ranging use of malicious code are now very much a reality; making code signing indispensable. 

Globally, according to Gartner, there could be as many as 21 billion connected devices worldwide by 2020. With this number set to reach 80 billion by 2025, the IoT will continue to expose organizations to new and changing security vulnerabilities on a daily basis. 

What’s more, these risks are not exclusive to products that sit in our connected homes, or our mobile phone handsets. They can also take the form of safety risks on the road, with researchers having cited security flaws in new vehicle models as a modern-day risk of constant connectivity. 

Don’t take the risk
A combination of rapidly expanding network connections, and the advanced techniques deployed by cyber-criminals have enabled bad actors to pivot to other systems once they have exposed a vulnerability. 

These developments highlight why a combination of not signing code properly and falling short on best practices can result in companies running the risk of having criminals distribute harmful forms of code on their behalf. 

Ultimately, the protection of a private signing key is what makes or breaks a code signing system. Far too frequently these are being left in the hands of developers who fail to focus sufficiently on security. 

By protecting those private signing keys in a hardware security module (HSM), and implementing proper access controls and approvals, this provides stronger protection than traditional code signing, where keys residing in the software are more vulnerable. 

Above all, companies must establish secure code-signing systems requiring developers to plan for encryption key management – using HSMs – and implementing cryptographic best practices.

Defending against attacks and data loss by following best practice, thus creating a network of trusted IoT devices; reducing operational costs through the controlling and monitoring of geographically-dispersed devices, and, finally, protecting revenue streams and corporate reputation through the protection of manufacturing devices, all represent vital components of an effective cyber-security strategy designed to tackle the risks of the IoT. 

As consumers continue to digitally transform their daily lives, software is becoming ubiquitous in our everyday interactions. Code signing is the key to unlocking the IoT’s true potential, ensuring security and safety are embedded in every device.

What’s hot on Infosecurity Magazine?