With the increasing importance of software in every industry, most companies are now in the software development business. Code signing is a critical security control that helps businesses, and their customers, know that software can be trusted. While code signing has provided this software protection for decades, cybercriminals continue to seek vulnerabilities in the code signing process, threatening the reputation of a business. In this video, Thales and Venafi discuss how these evolving security risks can negatively affect a business, and what you can do today to protect yourself.
TalkingTrust Series - Venafi - Code Signing
00:06 Hello, my name is David Madden, Senior Director
00:09 of Business Development at Thales.
00:11 Today we are here with Eddie Glenn,
00:14 Senior Product Marketing Manager at Venafi,
00:16 to do a TalkingTrust session on securing the software supply chain
00:21 with Venafi and Thales. This is a vital topic for our customers
00:26 as Venafi and Thales provide a turnkey solution
00:29 for automating the management of machine identities
00:32 in complex supply chains. So let's start first with a question.
00:38 Eddie, this is sure to be on people's
00:39 minds: what is the software supply chain
00:42 and why is this important to customers?
00:46 Hey Dave. It's great to be here. That's a that's a good question.
00:50 So, software supply chain. If you think
00:52 about your business, you might be using, or
00:58 I shouldn't say might be, your business
00:59 definitely is using software.
01:01 It's either software they use for your
01:04 accounting systems or software for your internal databases,
01:07 but most companies now are offering types of software
01:10 for the products that they sell and the
01:13 software supply chain is
01:14 is basically all of that software that's needed
01:17 to keep your business running. So it
01:19 might be software that you've developed,
01:21 it might be software that your company uses,
01:24 that accounting package that you've
01:26 purchased from someone else.
01:27 It might be open source library software
01:30 that your development teams are using
01:32 or commercial libraries that your
01:33 software development teams are using.
01:35 But software supply chains impact all of
01:38 us. I can't think of any business out there
01:41 that doesn't either use software to run
01:43 their business operations
01:44 or develop software because it's part of their product.
01:49 That makes sense. And of course, I guess
01:51 one of the big ones that involves software supply chains
01:54 is SolarWinds, as a software supply chain attack.
01:58 It sounds like you've done a lot of
01:59 research into this area at Venafi.
02:01 Can you share with some of the key
02:03 findings? It's a great example of how vulnerable
02:07 our software supply chains are and
02:10 it really is. It’s amazing when
02:14 Venafi did do a deep dive analysis on what happened
02:17 with SolarWinds. We don't have any
02:18 inside information, this is all just from
02:20 publicly sourced information. Just in a nutshell,
02:24 what happened is that in December of 2020,
02:29 it was announced that a product
02:32 from SolarWinds called Orion
02:34 had been infected with malware. That then
02:36 infected other SolarWinds's customers.
02:41 It's like a dual kind of attack and
02:44 it was about 18,000 customers that were infected,
02:47 even though the attackers were only
02:49 targeting a subset of those. It ranged from
02:52 government entities like Department of Treasury,
02:55 Homeland Security, so you know really
02:56 important government agencies as well as
02:59 small medium and extremely large businesses
03:01 you know with well-known brand recognition,
03:04 as well as state and local governments.
03:07 But it was an eye-opener for us.
03:09 We know that hackers are constantly trying to get
03:12 malware in, but the level of sophistication and we'll
03:15 dive into this in a little bit, was pretty amazing.
03:21 It's true as you're revealing this you realize
03:24 how broad this was. Eddie, can
03:26 you share a little bit more about
03:27 how was this attack different from past
03:29 attacks and how does it impact the
03:32 the software supply chain? Yes, so
03:35 right now I'm showing a diagram of a
03:37 DevOps pipeline, so you know DevOps, for
03:40 those that aren't familiar with software,
03:41 is the new way that
03:43 people are developing software to get
03:44 product out to market quicker
03:46 and as well as being able to
03:49 introduce new features as quickly as
03:51 possible. People might have heard
03:53 terms like digital transformation, cloud native,
03:57 all of these things are kind of related.
03:58 But really what's going on is
04:00 that developers are just
04:02 doing a lot extremely quickly and it's iterative.
04:05 When we think about traditional malware attacks,
04:09 usually it happens after a developer has
04:12 created their source code or created
04:14 their product and they start to
04:15 distribute their product.
04:17 Hackers will sometimes try to
04:19 insert malware at that
04:20 particular point. We have
04:23 ways of protecting against that,
04:25 things like code signing is very useful
04:27 to help ensure for end users that
04:31 the software that they're running and
04:33 that they're installing on their computers
04:35 is from the trusted vendor
04:37 they have the relationship with
04:38 that it hasn't been modified by a third
04:40 party. That's how code signing has worked in the past.
04:43 But this is what's different about
04:46 what happened with the SolarWinds and SUNBURST,
04:49 the actual name of the attack, is that
04:51 the attackers went into the stream well before
04:56 what we typically see for when malware gets inserted.
04:59 They targeted the build systems of
05:01 the software development teams,
05:03 and if you're on the security side of
05:05 the house and you know that's what your
05:06 business is, you might you know be thinking,
05:09 I've got things well protected
05:10 down here because I'm
05:12 doing code signing. But you might not
05:14 have visibility into what your
05:15 development teams are doing
05:16 up here during their software
05:18 development activities.
05:20 And that's where SUNBURST was
05:23 very different. The attackers
05:24 broke into the build infrastructure.
05:28 They inserted some malware into the
05:29 source code. No one knew it.
05:31 The engineers built their product like
05:33 they always do, they released it, it got code signed, and
05:37 they got pushed out to customers.
05:38 This is where it really gets scary,
05:40 is that the hackers weren't really after
05:43 SolarWinds. They were after some of
05:45 SolarWinds customers.
05:47 So when they installed the software,
05:51 their environments basically opened up a back door
05:55 that allowed a different set of hackers
05:56 to come in and then target those agencies like
05:59 Department of Treasury.
06:03 Incredible. A different set targeted a known attack
06:07 early on in the code process. They knew about that
06:10 vulnerability and then they came in and
06:12 targeted them later in the
06:14 the DevOps life cycle. Right. So you know if I'm in InfoSec,
06:19 I'm really concerned about this because
06:21 a lot of InfoSec people do not have that
06:23 visibility into what's going on in development.
06:25 I'm an old developer,
06:27 that's what I started my career doing.
06:29 I know that there is that kind of
06:30 separation between developers want to do
06:32 things fast because they have a lot of
06:34 pressure to get product out.
06:35 Security wants to keep everything secure right and
06:39 it really becomes important that
06:41 these two teams have to
06:42 to work together. Right, so then Eddie,
06:46 what do businesses do to help prevent
06:48 this from happening to them?
06:50 So there are a couple of things and I'm
06:52 going to kind of talk about the high level first. So
06:57 effectively you don't want to rely on
06:58 just one security measure. We talked about and
07:01 we looked at the diagram and normally
07:03 code signing happens after the
07:04 software gets built and before it gets pushed out
07:07 to where customers can interact with it or download it.
07:10 And that's something that we don't want
07:12 to do is, one security measure.
07:14 Instead we want to have multiple
07:15 security measures.
07:16 Right. Also, hackers are jumping left and
07:19 when I say jumping left they're jumping
07:20 further into the development stream. So
07:22 it could be that your developers aren't
07:24 aware what's happening.
07:25 As a security professional, you
07:27 need to work really hand in hand with
07:29 your development teams to make sure that
07:31 more security measures are added in to
07:34 the development process,
07:37 and then you want to digitally sign
07:38 artifacts throughout the development stream.
07:40 What do I mean by that? Let's say a
07:42 software development
07:44 team has downloaded an open source
07:45 package and they run it through the
07:47 security scans and they know
07:49 that you know the software is safe. It's
07:51 free of malware well before they check
07:53 that into their source code repository.
07:54 They really should digitally sign that. When I say
07:57 digitally signed, I mean they should code sign that.
08:00 Right. Next thing is that the keys and
08:03 the certificates that are used for
08:05 digital signing, they always have to be secure.
08:08 I think what you know what we saw with
08:09 SolarWinds is that it's possible that those
08:12 keys were not secure and that's how they
08:14 may have been accessed during that
08:16 particular breach.
08:19 Go ahead, what was your question?
08:23 That's the business side,
08:25 so now from a software perspective,
08:27 how do these teams do this?
08:31 This is where I think it's really important to
08:36 give some visibility to the security folks out there.
08:39 This is just a typical pipeline, a
08:42 software development pipeline.
08:43 Your company's pipelines might look
08:45 different, even different software teams
08:47 within your company might have different pipelines.
08:49 But the really the important thing
08:52 to take away here, is that
08:54 there are multiple security controls
08:55 throughout that pipeline.
08:57 Sometimes your developer development
08:59 teams might think about what
09:00 those security controls should be.
09:02 Sometimes they might not think about
09:04 that and that's really where it's
09:05 important to collaborate with those security
09:08 teams. There are a number of steps
09:10 that if I were on the security side I would recommend
09:13 for our development teams to
09:15 take. One would be you know to have
09:17 individual contributors to sign
09:19 source code before they submit it.
09:20 Let's say I write a piece of software
09:22 and it is source code I submit it into my
09:25 source code repository.
09:26 Who's to prevent someone else from
09:28 coming in later after me and changing
09:30 the few lines and adding
09:31 some malware in or opening
09:33 up a port. If I digitally sign it with my
09:36 own personal signature then that's going
09:37 to prevent others from coming in
09:39 and modifying that afterwards? Obviously
09:42 running security scans on third party components
09:45 if you use open source packages,
09:46 libraries, software development tools,
09:49 those should all be scanned first to
09:51 make sure there's not existing malware
09:53 in it and then once you scanned it then you
09:55 should sign it with your own
09:57 certificate. Don't allow
10:00 unsigned or unscanned tools to be used
10:02 in your build environment.
10:04 If you do it's very possible that
10:07 those tools can have malware
10:09 already there and
10:10 you wouldn't know it. The next point
10:12 is really important and that is to
10:14 consider using ephemeral build servers.
10:17 What do we mean by that?
10:19 In the old days when I was
10:22 developing software, we had a
10:23 build server in a locked up room.
10:26 We would put our source code in it.
10:30 We would run a script on that server and
10:32 it would pop out, push out the actual
10:34 finished software product
10:36 and that is an example of a static server.
10:39 We're seeing everyone move to
10:41 something that we call
10:43 ephemeral build server. These are
10:44 basically build servers
10:46 that only exist for the duration of the
10:48 build. They don't exist any other time.
10:50 The advantage of that
10:52 is that they don't literally exist, so
10:54 unless maybe they're spun up in the cloud,
10:57 then no one can break into that build server. Right.
11:00 That's why you really want to
11:02 create it just for as long as you need
11:03 it to build your software and then
11:05 delete it basically until the next time
11:07 you need to build your software.
11:09 The last point here is
11:11 constantly be checking for
11:13 valid digital signatures.
11:16 And what I'm going to anticipate is
11:19 you may have another question, how can Thales
11:23 and Venafi help with that?
11:27 Maybe you have a different way to phrase that?
11:29 Eddie, I'm curious. As I
11:32 listen, this is great for
11:33 software developers,
11:35 but what happens if I don't develop
11:36 software for my business?
11:38 How can I make sure I'm protected as well?
11:42 Good question. Again, if you use software
11:46 that you download or it's sent
11:48 to you, run it through security scans and
11:50 then once it's run through security
11:52 scans, even though it's already been
11:53 digitally signed by the vendor, add your
11:56 own digital signature to that.
11:57 That way everyone within your company
11:59 knows that your security team
12:02 has checked this piece of software and
12:04 not only that you can configure all the
12:06 the computers within your network to only
12:09 execute software that has been signed
12:11 with your own personal or your own
12:12 company's digital signature.
12:14 That is how I would approach that. Okay,
12:17 well this is great. Maybe you can
12:19 describe now, how does this all work
12:21 together? Can you give us some guidance?
12:23 So one of the things that
12:26 I've mentioned now several times, is digital
12:30 signature. Using a custom digital
12:33 signature for this purpose, for that purpose and
12:35 what does that mean? It means that now
12:37 your company has a lots of
12:39 cosigning certificates that they need to manage and this is
12:43 where we really have the power of Venafi with Thales.
12:46 Thales Luna is great for keeping those
12:50 those private keys extremely secure.
12:52 That's only one component of security
12:54 that we need to take into account.
12:56 The other component is how we secure the access
13:00 to the private keys that are stored in Thales Luna?
13:04 When I talk about access, I mean
13:06 there should be a set of measures in
13:08 place that says
13:09 only in these circumstances should this
13:11 particular person be authorized
13:14 to be able to access that
13:15 particular private code. Signing keys
13:18 in this particular circumstance
13:20 requires approvals from
13:21 these five other people. Maybe
13:25 it's a QA person that runs through
13:28 all the internal tests, maybe it's a
13:29 security person that
13:31 knows that it's been checked for malware.
13:32 There is an approval process
13:34 that's been put into place
13:36 and Venafi can help with that by
13:38 providing a framework that allows you to
13:40 automate that approval process.
13:42 Not to mention not only the framework that
13:46 allows you to manage the code,
13:47 signing certificates and keys, and the life cycle of those.
13:54 This is really is a vital topic
13:56 for our customers you know because
13:59 coming together with Thales to provide a
14:01 turnkey solution for automating
14:03 the management of machine identities for signing code
14:07 in complex supply chains, it couldn't be
14:09 more timely. Right.
14:11 With the SolarWinds attack that you described,
14:13 this isn't the first time
14:14 people have attacked the code.
14:16 Whether it's at a software side
14:18 or just within an organization, and
14:22 putting this in the context of the digital pandemic,
14:24 our friends at IDC have found that teams
14:27 practicing accelerated
14:28 application delivery, DevOps for
14:31 new services, we're in a much better position
14:33 to use software innovation agility to
14:35 impact their organizations
14:37 as a response to the crisis. This allowed
14:40 these companies to roll up new software
14:42 and digital services based on DevOps and
14:45 agile processes in a much shorter time
14:48 and help drive their shift from a
14:50 a product to a digital business.
14:52 And, of course the
14:53 the key point to all this is as long as
14:55 they protect the digital assets
14:57 correctly, and this is really what
14:59 Eddie has described today,
15:00 Venafi and Thales can help working together.
15:03 Thank you Eddie for taking the time
15:04 to share your insights
15:06 into the threats impacting the supply
15:08 chain and how we need to rethink
15:10 how we're implementing security machine identities
15:13 and their whole impact on digital
15:15 transformation on business.
15:17 Please see the links that we have in the
15:19 slide below to get more details on how
15:21 Venafi and Thales can help secure automate in your supply chain.
15:26 I hope you guys have a great day.
15:28 Stay safe and thank you again Eddie for joining us today.
15:31 Thank you Dave.
15:40 Thank you.