banner
TalkingTrust with Thales and Venafi – Code Signing

TalkingTrust with Thales and Venafi – Code Signing - Video

With the increasing importance of software in every industry, most companies are now in the software development business. Code signing is a critical security control that helps businesses, and their customers, know that software can be trusted. While code signing has provided this software protection for decades, cybercriminals continue to seek vulnerabilities in the code signing process, threatening the reputation of a business. In this video, Thales and Venafi discuss how these evolving security risks can negatively affect a business, and what you can do today to protect yourself.

Video Transcript

TalkingTrust Series - Venafi - Code Signing

 

00:06 Hello, my name is David Madden, Senior Director

00:09 of Business Development at Thales.

00:11 Today we are here with Eddie Glenn,

00:14 Senior Product Marketing Manager at Venafi,

00:16 to do a TalkingTrust session on securing the software supply chain

00:21 with Venafi and Thales. This is a vital topic for our customers

00:26 as Venafi and Thales provide a turnkey solution

00:29 for automating the management of machine identities

00:32 in complex supply chains. So let's start first with a question.

00:38 Eddie, this is sure to be on people's

00:39 minds: what is the software supply chain

00:42 and why is this important to customers?

00:46 Hey Dave. It's great to be here. That's a that's a good question. 

00:50 So, software supply chain. If you think

00:52 about your business, you might be using, or

00:58 I shouldn't say might be, your business

00:59 definitely is using software.

01:01 It's either software they use for your

01:04 accounting systems or software for your internal databases,

01:07 but most companies now are offering types of software

01:10 for the products that they sell and the

01:13 software supply chain is

01:14 is basically all of that software that's needed

01:17 to keep your business running. So it

01:19 might be software that you've developed,

01:21 it might be software that your company uses,

01:24 that accounting package that you've

01:26 purchased from someone else.

01:27 It might be open source library software

01:30 that your development teams are using

01:32 or commercial libraries that your

01:33 software development teams are using.

01:35 But software supply chains impact all of

01:38 us. I can't think of any business out there

01:41 that doesn't either use software to run

01:43 their business operations

01:44 or develop software because it's part of their product.

01:49 That makes sense. And of course, I guess

01:51 one of the big ones that involves software supply chains

01:54 is SolarWinds, as a software supply chain attack.

01:58 It sounds like you've done a lot of

01:59 research into this area at Venafi.

02:01 Can you share with some of the key

02:03 findings? It's a great example of how vulnerable

02:07 our software supply chains are and

02:10 it really is. It’s amazing when

02:14 Venafi did do a deep dive analysis on what happened

02:17 with SolarWinds. We don't have any

02:18 inside information, this is all just from

02:20 publicly sourced information. Just in a nutshell,

02:24 what happened is that in December of 2020,

02:29 it was announced that a product

02:32 from SolarWinds called Orion

02:34 had been infected with malware. That then

02:36 infected other SolarWinds's customers.

02:41 It's like a dual kind of attack and

02:44 it was about 18,000 customers that were infected,

02:47 even though the attackers were only

02:49 targeting a subset of those. It ranged from

02:52 government entities like Department of Treasury,

02:55 Homeland Security, so you know really

02:56 important government agencies as well as

02:59 small medium and extremely large businesses

03:01 you know with well-known brand recognition,

03:04 as well as state and local governments.

03:07 But it was an eye-opener for us. 

03:09 We know that hackers are constantly trying to get

03:12 malware in, but the level of sophistication and we'll

03:15 dive into this in a little bit, was pretty amazing.

03:21 It's true as you're revealing this you realize

03:24 how broad this was. Eddie, can

03:26 you share a little bit more about

03:27 how was this attack different from past

03:29 attacks and how does it impact the

03:32 the software supply chain? Yes, so

03:35 right now I'm showing a diagram of a

03:37 DevOps pipeline, so you know DevOps, for

03:40 those that aren't familiar with software,

03:41 is the new way that

03:43 people are developing software to get

03:44 product out to market quicker

03:46 and as well as being able to

03:49 introduce new features as quickly as

03:51 possible. People might have heard

03:53 terms like digital transformation, cloud native,

03:57 all of these things are kind of related.

03:58 But really what's going on is

04:00 that developers are just

04:02 doing a lot extremely quickly and it's iterative.

04:05 When we think about traditional malware attacks,

04:09 usually it happens after a developer has

04:12 created their source code or created

04:14 their product and they start to

04:15 distribute their product.

04:17 Hackers will sometimes try to

04:19 insert malware at that

04:20 particular point. We have

04:23 ways of protecting against that,

04:25 things like code signing is very useful

04:27 to help ensure for end users that

04:31 the software that they're running and

04:33 that they're installing on their computers

04:35 is from the trusted vendor

04:37 they have the relationship with

04:38 that it hasn't been modified by a third

04:40 party. That's how code signing has worked in the past.

04:43 But this is what's different about

04:46 what happened with the SolarWinds and SUNBURST,

04:49 the actual name of the attack, is that

04:51 the attackers went into the stream well before

04:56 what we typically see for when malware gets inserted.

04:59 They targeted the build systems of

05:01 the software development teams,

05:03 and if you're on the security side of

05:05 the house and you know that's what your

05:06 business is, you might you know be thinking,

05:09 I've got things well protected

05:10 down here because I'm

05:12 doing code signing. But you might not

05:14 have visibility into what your

05:15 development teams are doing

05:16 up here during their software

05:18 development activities.

05:20 And that's where SUNBURST was

05:23 very different. The attackers

05:24 broke into the build infrastructure.

05:28 They inserted some malware into the

05:29 source code. No one knew it.

05:31 The engineers built their product like

05:33 they always do, they released it, it got code signed, and

05:37 they got pushed out to customers. 

05:38 This is where it really gets scary,

05:40 is that the hackers weren't really after

05:43 SolarWinds. They were after some of

05:45 SolarWinds customers.

05:47 So when they installed the software,

05:51 their environments basically opened up a back door

05:55 that allowed a different set of hackers

05:56 to come in and then target those agencies like

05:59 Department of Treasury.

06:03 Incredible. A different set targeted a known attack

06:07 early on in the code process. They knew about that

06:10 vulnerability and then they came in and

06:12 targeted them later in the

06:14 the DevOps life cycle. Right. So you know if I'm in InfoSec,

06:19 I'm really concerned about this because

06:21 a lot of InfoSec people do not have that

06:23 visibility into what's going on in development.

06:25 I'm an old developer,

06:27 that's what I started my career doing.

06:29 I know that there is that kind of

06:30 separation between developers want to do

06:32 things fast because they have a lot of

06:34 pressure to get product out.

06:35 Security wants to keep everything secure right and

06:39 it really becomes important that

06:41 these two teams have to

06:42 to work together. Right, so then Eddie,

06:46 what do businesses do to help prevent

06:48 this from happening to them?

06:50 So there are a couple of things and I'm

06:52 going to kind of talk about the high level first. So

06:57 effectively you don't want to rely on

06:58 just one security measure. We talked about and

07:01 we looked at the diagram and normally

07:03 code signing happens after the

07:04 software gets built and before it gets pushed out

07:07 to where customers can interact with it or download it.

07:10 And that's something that we don't want

07:12 to do is, one security measure.

07:14 Instead we want to have multiple

07:15 security measures.

07:16 Right. Also, hackers are jumping left and

07:19 when I say jumping left they're jumping

07:20 further into the development stream. So

07:22 it could be that your developers aren't

07:24 aware what's happening.

07:25 As a security professional, you

07:27 need to work really hand in hand with

07:29 your development teams to make sure that

07:31 more security measures are added in to

07:34 the development process,

07:37 and then you want to digitally sign

07:38 artifacts throughout the development stream.

07:40 What do I mean by that? Let's say a

07:42 software development

07:44 team has downloaded an open source

07:45 package and they run it through the

07:47 security scans and they know

07:49 that you know the software is safe. It's

07:51 free of malware well before they check

07:53 that into their source code repository.

07:54 They really should digitally sign that. When I say

07:57 digitally signed, I mean they should code sign that.

08:00 Right. Next thing is that the keys and

08:03 the certificates that are used for

08:05 digital signing, they always have to be secure.

08:08 I think what you know what we saw with

08:09 SolarWinds is that it's possible that those

08:12 keys were not secure and that's how they

08:14 may have been accessed during that

08:16 particular breach.

08:19 Go ahead, what was your question?

08:23 That's the business side,

08:25 so now from a software perspective,

08:27 how do these teams do this? 

08:29 Specifically?

08:31 This is where I think it's really important to

08:36 give some visibility to the security folks out there. 

08:39 This is just a typical pipeline, a

08:42 software development pipeline.

08:43 Your company's pipelines might look

08:45 different, even different software teams

08:47 within your company might have different pipelines.

08:49 But the really the important thing

08:52 to take away here, is that

08:54 there are multiple security controls

08:55 throughout that pipeline.

08:57 Sometimes your developer development

08:59 teams might think about what

09:00 those security controls should be.

09:02 Sometimes they might not think about

09:04 that and that's really where it's

09:05 important to collaborate with those security

09:08 teams. There are a number of steps

09:10 that if I were on the security side I would recommend

09:13 for our development teams to

09:15 take. One would be you know to have

09:17 individual contributors to sign

09:19 source code before they submit it. 

09:20 Let's say I write a piece of software

09:22 and it is source code I submit it into my

09:25 source code repository.

09:26 Who's to prevent someone else from

09:28 coming in later after me and changing

09:30 the few lines and adding

09:31 some malware in or opening

09:33 up a port. If I digitally sign it with my

09:36 own personal signature then that's going

09:37 to prevent others from coming in

09:39 and modifying that afterwards? Obviously

09:42 running security scans on third party components

09:45 if you use open source packages,

09:46 libraries, software development tools,

09:49 those should all be scanned first to

09:51 make sure there's not existing malware

09:53 in it and then once you scanned it then you

09:55 should sign it with your own

09:57 certificate. Don't allow

10:00 unsigned or unscanned tools to be used

10:02 in your build environment.

10:04 If you do it's very possible that

10:07 those tools can have malware

10:09 already there and

10:10 you wouldn't know it. The next point

10:12 is really important and that is to

10:14 consider using ephemeral build servers.

10:17 What do we mean by that?

10:19 In the old days when I was

10:22 developing software, we had a

10:23 build server in a locked up room.

10:26 We would put our source code in it.

10:30 We would run a script on that server and

10:32 it would pop out, push out the actual

10:34 finished software product

10:36 and that is an example of a static server.

10:39 We're seeing everyone move to

10:41 something that we call

10:43 ephemeral build server. These are

10:44 basically build servers

10:46 that only exist for the duration of the

10:48 build. They don't exist any other time.

10:50 The advantage of that

10:52 is that they don't literally exist, so

10:54 unless maybe they're spun up in the cloud,

10:57 then no one can break into that build server. Right.

11:00 That's why you really want to

11:02 create it just for as long as you need

11:03 it to build your software and then

11:05 delete it basically until the next time

11:07 you need to build your software.

11:09 The last point here is

11:11 constantly be checking for

11:13 valid digital signatures.

11:16 And what I'm going to anticipate is

11:19 you may have another question, how can Thales 

11:23 and Venafi help with that?

11:27 Maybe you have a different way to phrase that?

11:29 Eddie, I'm curious. As I

11:32 listen, this is great for

11:33 software developers,

11:35 but what happens if I don't develop

11:36 software for my business?

11:38 How can I make sure I'm protected as well?

11:42 Good question. Again, if you use software

11:46 that you download or it's sent

11:48 to you, run it through security scans and

11:50 then once it's run through security

11:52 scans, even though it's already been

11:53 digitally signed by the vendor, add your

11:56 own digital signature to that.

11:57 That way everyone within your company

11:59 knows that your security team

12:02 has checked this piece of software and

12:04 not only that you can configure all the

12:06 the computers within your network to only

12:09 execute software that has been signed

12:11 with your own personal or your own

12:12 company's digital signature.

12:14 That is how I would approach that. Okay,

12:17 well this is great. Maybe you can

12:19 describe now, how does this all work

12:21 together? Can you give us some guidance?

12:23 So one of the things that 

12:26 I've mentioned now several times, is digital

12:30 signature. Using a custom digital

12:33 signature for this purpose, for that purpose and 

12:35 what does that mean? It means that now

12:37 your company has a lots of

12:39 cosigning certificates that they need to manage and this is

12:43 where we really have the power of Venafi with Thales.

12:46 Thales Luna is great for keeping those

12:50 those private keys extremely secure.

12:52 That's only one component of security

12:54 that we need to take into account.

12:56 The other component is how we secure the access

13:00 to the private keys that are stored in Thales Luna?

13:04 When I talk about access, I mean

13:06 there should be a set of measures in

13:08 place that says

13:09 only in these circumstances should this

13:11 particular person be authorized

13:14 to be able to access that

13:15 particular private code. Signing keys

13:18 in this particular circumstance

13:20 requires approvals from

13:21 these five other people. Maybe

13:25 it's a QA person that runs through

13:28 all the internal tests, maybe it's a

13:29 security person that

13:31 knows that it's been checked for malware.

13:32 There is an approval process

13:34 that's been put into place

13:36 and Venafi can help with that by

13:38 providing a framework that allows you to

13:40 automate that approval process.

13:42 Not to mention not only the framework that

13:46 allows you to manage the code,

13:47 signing certificates and keys, and the life cycle of those.

13:54 This is really is a vital topic

13:56 for our customers you know because 

13:59 coming together with Thales to provide a

14:01 turnkey solution for automating

14:03 the management of machine identities for signing code

14:07 in complex supply chains, it couldn't be

14:09 more timely. Right.

14:11 With the SolarWinds attack that you described,

14:13 this isn't the first time

14:14 people have attacked the code.

14:16 Whether it's at a software side

14:18 or just within an organization, and 

14:22 putting this in the context of the digital pandemic,

14:24 our friends at IDC have found that teams

14:27 practicing accelerated

14:28 application delivery, DevOps for

14:31 new services, we're in a much better position

14:33 to use software innovation agility to

14:35 impact their organizations

14:37 as a response to the crisis. This allowed

14:40 these companies to roll up new software

14:42 and digital services based on DevOps and

14:45 agile processes in a much shorter time

14:48 and help drive their shift from a

14:50 a product to a digital business.

14:52 And, of course the

14:53 the key point to all this is as long as

14:55 they protect the digital assets

14:57 correctly, and this is really what

14:59 Eddie has described today,

15:00 Venafi and Thales can help working together.

15:03 Thank you Eddie for taking the time

15:04 to share your insights

15:06 into the threats impacting the supply

15:08 chain and how we need to rethink

15:10 how we're implementing security machine identities

15:13 and their whole impact on digital

15:15 transformation on business.

15:17 Please see the links that we have in the

15:19 slide below to get more details on how

15:21 Venafi and Thales can help secure automate in your supply chain.

15:26 I hope you guys have a great day.

15:28 Stay safe and thank you again Eddie for joining us today.

15:31 Thank you Dave.

15:40 Thank you.