Jason Sabin CTO of DigiCert Inc. Passionate about simplifying security, including digital certificate management for device & user identity.
getty
In a dynamic marketplace, business agility can mean all the difference between success and failure. If you can’t seize the moment by getting your new product out in front of customers, it’s a safe bet that a nimble competitor will.
Companies understand that they need to innovate fast to succeed, and they’re looking to DevOps and agile methodologies to take them where they want to go. According to Gartner analysts, “through 2023, 75% of organizations will customize agile practices to match product and team contexts, resulting in increased application delivery cadence.”
However, like any transformative strategy, DevOps also brings risks. The hack involving SolarWinds was a prominent reminder of the importance of securing every aspect of the build process. In that case, frequent software updates that would normally be considered a best practice instead opened up a vulnerability when malware was injected during the build process. By shining an unwelcome spotlight on software development processes, this incident demonstrated the need for continuous integration and continuous delivery (CI/CD) security best practices that verify the integrity of the code every step of the way.
To support DevOps initiatives, you need a DevSecOps culture.
DevOps workflows are all about continuous development and pushing deliverables out. Every stage of development introduces plenty of opportunities for breaches and security failures to occur. That’s why it’s essential to protect your organization by nurturing a DevSecOps culture.
DevSecOps is intended to fully integrate security deep within every phase of the software development life cycle, from conception and design through testing, delivery and deployment. Not long ago, security was generally bolted onto software at the conclusion of development, put in place and tested by a different team. But as automation and a renewed focus on agile development have accelerated CI/CD pipelines, it’s clear that this approach not only creates bottlenecks but can leave software vulnerable to breaches that are difficult to find and expensive to fix.
Code signing is fundamental to DevSecOps best practices. By digitally signing apps, drivers, executables and software programs, organizations can verify the integrity of code before it progresses further in the development cycle.
Although many DevOps-driven companies have code signing policies in place, it’s surprising how many are practicing it incorrectly. They may be using the same key to sign all their files — or even using the same signing key across multiple product lines and businesses. Companies may have only minimal controls to specify who will sign the code at designated stages of development. They may have limited accountability and reporting for their signing processes. They may even load a signing key onto a thumb drive and pass it around with no controls in place, effectively bypassing code signing.
Best practices are key for effective signing.
Code signing can provide an effective mechanism to safeguard development pipelines, but when poorly applied, it can actually put organizations at increased risk. How can organizations handle signing the right way? The most important starting point is controlling and safeguarding the use of the signing keys themselves. Using the same key to sign every project can set the stage for disaster because if that key is compromised, every piece of code that it has signed could be at risk. A strong, regular and frequent key rotation strategy can help minimize this threat.
Establishing transparency and control over the signing process can also minimize risks. When organizations can fully dictate and enforce signing rights in a way that aligns with their own organizations and processes, they gain peace of mind in knowing that signing keys aren’t being shared with multiple individuals who may lack authorization. A solid signing process can also strengthen accountability. Building reports that can show when specific projects were signed, and by whom, can make it easier to trace down the source of problems if they arise.
Even a few simple steps can dramatically strengthen the integrity of the code signing process. Prior to signing, organizations may wish to scan the code for viruses to ensure that an unexpected threat has not hitched a ride. Using a consensus-based process, they can get multiple designated team members to assure the code has been reviewed for anomalies before any code update is signed. A secure software manager workflow can make this process regimented within the organization.
Automate to optimize DevSecOps.
Automation can make it easier to extend better security practices across CI/CD pipelines. With the right technology solution, DevOps-driven organizations can set up a mechanism to sign code binaries fast, easily and at scale.
As more organizations move key processes to the cloud, they’ll want to consider a code signing solution that supports flexible deployment models. An effective solution can generate keys in the cloud, keeping them offline to help ensure they can’t be lost, stolen or shared. To be sure that code signing best practices are fully integrated into every step of the DevOps process, the solution should be compatible with leading platforms and libraries, such as Java, OpenSSL, Android and Authenticode.
DevSecOps must be organic.
The benefits of establishing a DevSecOps culture are clear, but big changes in fundamental processes can’t happen overnight. The shift requires buy-in and leadership from executives, backed by sustained support from across the organization.
To get the initiative off the ground, effective communication and messaging can help build the mindshare necessary to get teams on board. Educate your development teams to help them understand your objectives, and show them why DevSecOps will ultimately deliver better outcomes for the entire company — and your customers.
As you start laying the groundwork to establish or improve your signing processes, take a close look at your DevOps pipelines to audit and verify code dependencies. By understanding the state of your security posture today, you’ll find it easier to identify areas to improve in the future.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Follow me on LinkedIn. Check out my website.