TalkingTrust with Thales and Venafi – Code Signing

TalkingTrust Series - Venafi - Code Signing

 

00:06 Hello, my name is David Madden, Senior Director

00:09 of Business Development at Thales.

00:11 Today we are here with Eddie Glenn,

00:14 Senior Product Marketing Manager at Venafi,

00:16 to do a TalkingTrust session on securing the software supply chain

00:21 with Venafi and Thales. This is a vital topic for our customers

00:26 as Venafi and Thales provide a turnkey solution

00:29 for automating the management of machine identities

00:32 in complex supply chains. So let's start first with a question.

00:38 Eddie, this is sure to be on people's

00:39 minds: what is the software supply chain

00:42 and why is this important to customers?

00:46 Hey Dave. It's great to be here. That's a that's a good question. 

00:50 So, software supply chain. If you think

00:52 about your business, you might be using, or

00:58 I shouldn't say might be, your business

00:59 definitely is using software.

01:01 It's either software they use for your

01:04 accounting systems or software for your internal databases,

01:07 but most companies now are offering types of software

01:10 for the products that they sell and the

01:13 software supply chain is

01:14 is basically all of that software that's needed

01:17 to keep your business running. So it

01:19 might be software that you've developed,

01:21 it might be software that your company uses,

01:24 that accounting package that you've

01:26 purchased from someone else.

01:27 It might be open source library software

01:30 that your development teams are using

01:32 or commercial libraries that your

01:33 software development teams are using.

01:35 But software supply chains impact all of

01:38 us. I can't think of any business out there

01:41 that doesn't either use software to run

01:43 their business operations

01:44 or develop software because it's part of their product.

01:49 That makes sense. And of course, I guess

01:51 one of the big ones that involves software supply chains

01:54 is SolarWinds, as a software supply chain attack.

01:58 It sounds like you've done a lot of

01:59 research into this area at Venafi.

02:01 Can you share with some of the key

02:03 findings? It's a great example of how vulnerable

02:07 our software supply chains are and

02:10 it really is. It’s amazing when

02:14 Venafi did do a deep dive analysis on what happened

02:17 with SolarWinds. We don't have any

02:18 inside information, this is all just from

02:20 publicly sourced information. Just in a nutshell,

02:24 what happened is that in December of 2020,

02:29 it was announced that a product

02:32 from SolarWinds called Orion

02:34 had been infected with malware. That then

02:36 infected other SolarWinds's customers.

02:41 It's like a dual kind of attack and

02:44 it was about 18,000 customers that were infected,

02:47 even though the attackers were only

02:49 targeting a subset of those. It ranged from

02:52 government entities like Department of Treasury,

02:55 Homeland Security, so you know really

02:56 important government agencies as well as

02:59 small medium and extremely large businesses

03:01 you know with well-known brand recognition,

03:04 as well as state and local governments.

03:07 But it was an eye-opener for us. 

03:09 We know that hackers are constantly trying to get

03:12 malware in, but the level of sophistication and we'll

03:15 dive into this in a little bit, was pretty amazing.

03:21 It's true as you're revealing this you realize

03:24 how broad this was. Eddie, can

03:26 you share a little bit more about

03:27 how was this attack different from past

03:29 attacks and how does it impact the

03:32 the software supply chain? Yes, so

03:35 right now I'm showing a diagram of a

03:37 DevOps pipeline, so you know DevOps, for

03:40 those that aren't familiar with software,

03:41 is the new way that

03:43 people are developing software to get

03:44 product out to market quicker

03:46 and as well as being able to

03:49 introduce new features as quickly as

03:51 possible. People might have heard

03:53 terms like digital transformation, cloud native,

03:57 all of these things are kind of related.

03:58 But really what's going on is

04:00 that developers are just

04:02 doing a lot extremely quickly and it's iterative.

04:05 When we think about traditional malware attacks,

04:09 usually it happens after a developer has

04:12 created their source code or created

04:14 their product and they start to

04:15 distribute their product.

04:17 Hackers will sometimes try to

04:19 insert malware at that

04:20 particular point. We have

04:23 ways of protecting against that,

04:25 things like code signing is very useful

04:27 to help ensure for end users that

04:31 the software that they're running and

04:33 that they're installing on their computers

04:35 is from the trusted vendor

04:37 they have the relationship with

04:38 that it hasn't been modified by a third

04:40 party. That's how code signing has worked in the past.

04:43 But this is what's different about

04:46 what happened with the SolarWinds and SUNBURST,

04:49 the actual name of the attack, is that

04:51 the attackers went into the stream well before

04:56 what we typically see for when malware gets inserted.

04:59 They targeted the build systems of

05:01 the software development teams,

05:03 and if you're on the security side of

05:05 the house and you know that's what your

05:06 business is, you might you know be thinking,

05:09 I've got things well protected

05:10 down here because I'm

05:12 doing code signing. But you might not

05:14 have visibility into what your

05:15 development teams are doing

05:16 up here during their software

05:18 development activities.

05:20 And that's where SUNBURST was

05:23 very different. The attackers

05:24 broke into the build infrastructure.

05:28 They inserted some malware into the

05:29 source code. No one knew it.

05:31 The engineers built their product like

05:33 they always do, they released it, it got code signed, and

05:37 they got pushed out to customers. 

05:38 This is where it really gets scary,

05:40 is that the hackers weren't really after

05:43 SolarWinds. They were after some of

05:45 SolarWinds customers.

05:47 So when they installed the software,

05:51 their environments basically opened up a back door

05:55 that allowed a different set of hackers

05:56 to come in and then target those agencies like

05:59 Department of Treasury.

06:03 Incredible. A different set targeted a known attack

06:07 early on in the code process. They knew about that

06:10 vulnerability and then they came in and

06:12 targeted them later in the

06:14 the DevOps life cycle. Right. So you know if I'm in InfoSec,

06:19 I'm really concerned about this because

06:21 a lot of InfoSec people do not have that

06:23 visibility into what's going on in development.

06:25 I'm an old developer,

06:27 that's what I started my career doing.

06:29 I know that there is that kind of

06:30 separation between developers want to do

06:32 things fast because they have a lot of

06:34 pressure to get product out.

06:35 Security wants to keep everything secure right and

06:39 it really becomes important that

06:41 these two teams have to

06:42 to work together. Right, so then Eddie,

06:46 what do businesses do to help prevent

06:48 this from happening to them?

06:50 So there are a couple of things and I'm

06:52 going to kind of talk about the high level first. So

06:57 effectively you don't want to rely on

06:58 just one security measure. We talked about and

07:01 we looked at the diagram and normally

07:03 code signing happens after the

07:04 software gets built and before it gets pushed out

07:07 to where customers can interact with it or download it.

07:10 And that's something that we don't want

07:12 to do is, one security measure.

07:14 Instead we want to have multiple

07:15 security measures.

07:16 Right. Also, hackers are jumping left and

07:19 when I say jumping left they're jumping

07:20 further into the development stream. So

07:22 it could be that your developers aren't

07:24 aware what's happening.

07:25 As a security professional, you

07:27 need to work really hand in hand with

07:29 your development teams to make sure that

07:31 more security measures are added in to

07:34 the development process,

07:37 and then you want to digitally sign

07:38 artifacts throughout the development stream.

07:40 What do I mean by that? Let's say a

07:42 software development

07:44 team has downloaded an open source

07:45 package and they run it through the

07:47 security scans and they know

07:49 that you know the software is safe. It's

07:51 free of malware well before they check

07:53 that into their source code repository.

07:54 They really should digitally sign that. When I say

07:57 digitally signed, I mean they should code sign that.

08:00 Right. Next thing is that the keys and

08:03 the certificates that are used for

08:05 digital signing, they always have to be secure.

08:08 I think what you know what we saw with

08:09 SolarWinds is that it's possible that those

08:12 keys were not secure and that's how they

08:14 may have been accessed during that

08:16 particular breach.

08:19 Go ahead, what was your question?

08:23 That's the business side,

08:25 so now from a software perspective,

08:27 how do these teams do this? 

08:29 Specifically?

08:31 This is where I think it's really important to

08:36 give some visibility to the security folks out there. 

08:39 This is just a typical pipeline, a

08:42 software development pipeline.

08:43 Your company's pipelines might look

08:45 different, even different software teams

08:47 within your company might have different pipelines.

08:49 But the really the important thing

08:52 to take away here, is that

08:54 there are multiple security controls

08:55 throughout that pipeline.

08:57 Sometimes your developer development

08:59 teams might think about what

09:00 those security controls should be.

09:02 Sometimes they might not think about

09:04 that and that's really where it's

09:05 important to collaborate with those security

09:08 teams. There are a number of steps

09:10 that if I were on the security side I would recommend

09:13 for our development teams to

09:15 take. One would be you know to have

09:17 individual contributors to sign

09:19 source code before they submit it. 

09:20 Let's say I write a piece of software

09:22 and it is source code I submit it into my

09:25 source code repository.

09:26 Who's to prevent someone else from

09:28 coming in later after me and changing

09:30 the few lines and adding

09:31 some malware in or opening

09:33 up a port. If I digitally sign it with my

09:36 own personal signature then that's going

09:37 to prevent others from coming in

09:39 and modifying that afterwards? Obviously

09:42 running security scans on third party components

09:45 if you use open source packages,

09:46 libraries, software development tools,

09:49 those should all be scanned first to

09:51 make sure there's not existing malware

09:53 in it and then once you scanned it then you

09:55 should sign it with your own

09:57 certificate. Don't allow

10:00 unsigned or unscanned tools to be used

10:02 in your build environment.

10:04 If you do it's very possible that

10:07 those tools can have malware

10:09 already there and

10:10 you wouldn't know it. The next point

10:12 is really important and that is to

10:14 consider using ephemeral build servers.

10:17 What do we mean by that?

10:19 In the old days when I was

10:22 developing software, we had a

10:23 build server in a locked up room.

10:26 We would put our source code in it.

10:30 We would run a script on that server and

10:32 it would pop out, push out the actual

10:34 finished software product

10:36 and that is an example of a static server.

10:39 We're seeing everyone move to

10:41 something that we call

10:43 ephemeral build server. These are

10:44 basically build servers

10:46 that only exist for the duration of the

10:48 build. They don't exist any other time.

10:50 The advantage of that

10:52 is that they don't literally exist, so

10:54 unless maybe they're spun up in the cloud,

10:57 then no one can break into that build server. Right.

11:00 That's why you really want to

11:02 create it just for as long as you need

11:03 it to build your software and then

11:05 delete it basically until the next time

11:07 you need to build your software.

11:09 The last point here is

11:11 constantly be checking for

11:13 valid digital signatures.

11:16 And what I'm going to anticipate is

11:19 you may have another question, how can Thales 

11:23 and Venafi help with that?

11:27 Maybe you have a different way to phrase that?

11:29 Eddie, I'm curious. As I

11:32 listen, this is great for

11:33 software developers,

11:35 but what happens if I don't develop

11:36 software for my business?

11:38 How can I make sure I'm protected as well?

11:42 Good question. Again, if you use software

11:46 that you download or it's sent

11:48 to you, run it through security scans and

11:50 then once it's run through security

11:52 scans, even though it's already been

11:53 digitally signed by the vendor, add your

11:56 own digital signature to that.

11:57 That way everyone within your company

11:59 knows that your security team

12:02 has checked this piece of software and

12:04 not only that you can configure all the

12:06 the computers within your network to only

12:09 execute software that has been signed

12:11 with your own personal or your own

12:12 company's digital signature.

12:14 That is how I would approach that. Okay,

12:17 well this is great. Maybe you can

12:19 describe now, how does this all work

12:21 together? Can you give us some guidance?

12:23 So one of the things that 

12:26 I've mentioned now several times, is digital

12:30 signature. Using a custom digital

12:33 signature for this purpose, for that purpose and 

12:35 what does that mean? It means that now

12:37 your company has a lots of

12:39 cosigning certificates that they need to manage and this is

12:43 where we really have the power of Venafi with Thales.

12:46 Thales Luna is great for keeping those

12:50 those private keys extremely secure.

12:52 That's only one component of security

12:54 that we need to take into account.

12:56 The other component is how we secure the access

13:00 to the private keys that are stored in Thales Luna?

13:04 When I talk about access, I mean

13:06 there should be a set of measures in

13:08 place that says

13:09 only in these circumstances should this

13:11 particular person be authorized

13:14 to be able to access that

13:15 particular private code. Signing keys

13:18 in this particular circumstance

13:20 requires approvals from

13:21 these five other people. Maybe

13:25 it's a QA person that runs through

13:28 all the internal tests, maybe it's a

13:29 security person that

13:31 knows that it's been checked for malware.

13:32 There is an approval process

13:34 that's been put into place

13:36 and Venafi can help with that by

13:38 providing a framework that allows you to

13:40 automate that approval process.

13:42 Not to mention not only the framework that

13:46 allows you to manage the code,

13:47 signing certificates and keys, and the life cycle of those.

13:54 This is really is a vital topic

13:56 for our customers you know because 

13:59 coming together with Thales to provide a

14:01 turnkey solution for automating

14:03 the management of machine identities for signing code

14:07 in complex supply chains, it couldn't be

14:09 more timely. Right.

14:11 With the SolarWinds attack that you described,

14:13 this isn't the first time

14:14 people have attacked the code.

14:16 Whether it's at a software side

14:18 or just within an organization, and 

14:22 putting this in the context of the digital pandemic,

14:24 our friends at IDC have found that teams

14:27 practicing accelerated

14:28 application delivery, DevOps for

14:31 new services, we're in a much better position

14:33 to use software innovation agility to

14:35 impact their organizations

14:37 as a response to the crisis. This allowed

14:40 these companies to roll up new software

14:42 and digital services based on DevOps and

14:45 agile processes in a much shorter time

14:48 and help drive their shift from a

14:50 a product to a digital business.

14:52 And, of course the

14:53 the key point to all this is as long as

14:55 they protect the digital assets

14:57 correctly, and this is really what

14:59 Eddie has described today,

15:00 Venafi and Thales can help working together.

15:03 Thank you Eddie for taking the time

15:04 to share your insights

15:06 into the threats impacting the supply

15:08 chain and how we need to rethink

15:10 how we're implementing security machine identities

15:13 and their whole impact on digital

15:15 transformation on business.

15:17 Please see the links that we have in the

15:19 slide below to get more details on how

15:21 Venafi and Thales can help secure automate in your supply chain.

15:26 I hope you guys have a great day.

15:28 Stay safe and thank you again Eddie for joining us today.

15:31 Thank you Dave.

15:40 Thank you.