Code Signing Seen as Effective Way to Safeguard App Security
NEWS ANALYSIS: Certificate Authorities (CAs) are ramping up efforts to make code signing the norm for application security.
There are a number of different ways to ensure application security in the modern IT environment. One of them is by starting right at the source, by enabling application developers to digitally sign their code, in an effort to guarantee the integrity and authenticity of a given application.
The Certificate Authority Security Council (CASC) is now engaged in an education campaign to expand awareness of code signing. The CASC is an industry group that was launched in February 2013 and that includes the world's leading Certificate Authorities (CAs).
A CA is an organization that issues and manages security certificates that are used for Secure Socket Layer (SSL) encryption as well as application code signing. The CASC also works hand in hand with the CA Browser (CAB) forum, which is a group that includes both CAs and web browser vendors.
The basic idea behind code signing is that an application can be signed by a software developer with a valid certificate from a CA. The role of the CA is to verify that the certificate has been granted to an authentic application. If the application is later compromised and is deemed to be malicious, the CA should be able to revoke the certificate. The malicious application should no longer work once the CA has revoked the certificate if the system works as it is supposed to.
One of the reasons why code signing isn't as broadly adopted today as it could be is perhaps due to the fact that, as of yet, there are no minimum baseline standards set for CAs on how the code signing infrastructure and process should work. The CAB Forum is now working on a public draft of baseline requirements for code signing certificates, Jeremy Rowley, Associate General Counsel at DigiCert, told eWEEK.
"Signing code helps to prevent people from taking existing software, adding a virus to it and then redistributing it as if it were legitimate software," Rowley said.
Attackers today can potentially self-sign their own applications, which is another risk that the CAs want to avoid. With a self-signed certificate, the individual signing the certificate attests to the validity and authenticity of the code without any third party audit or validation. In the CA model, the CA is the control point for integrity and authenticity.
With a CA-issued certificate, the identity of the person that signed code can be determined. That can be helpful in a case where the code is deemed to be malicious, Bruce Morton, Director of Entrust Certificate Services explained to eWEEK.
"If you do have certificates issued by a CA that are being misused, you can revoke them," Morton said.
In the existing browser model for security certificates, web browsers and CAs maintain certificate revocation lists (CRL) and use protocols including the Online Certificate Status Protocol (OCSP) to check the validity of certificates.
Rowley explained that certificate revocation is part of CA baseline standards that are now under development and are similar to the browser certificate model. The first draft of the minimum standards for CAs code signing is expected to be publicly released this week. The draft release will be followed by a month of public review after which the standards will be adopted.
"Once the standards are adopted, they will become binding on all Certificate Authorities, probably early next year," Rowley said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.