Code Signing 06-06-2023

Announcing New Threat Detection Capability in DigiCert® Software Trust Manager

Eddie Glenn
ReveringLab Blog Image

Fight software supply chain attacks

Threat Detection and software bill of materials (SBOM) capabilities, powered by ReversingLabs, have been added to DigiCert® Software Trust Manager to provide customers with the ability to detect threats and vulnerabilities in their software before they securely sign it.

Another global pandemic?

Software supply chain attacks are increasing. Prominent technology brands like MSI, Intel, Microsoft, CircleCI and 3CX are recent victims of these attacks, joining other companies like SolarWinds, Asus, Codecov, Docker Hub and A.P. Moller-Maersk. No one is immune.

A recent Gartner report says that 45% of companies worldwide will experience attacks on their software supply chains by 2025. Another industry report says that there has been an increase of 742% (that is not a typo — seven hundred forty-two percent!) in software supply chain attacks over the past three years.

Software supply chain attacks come in multiple flavors. Some target unprotected code signing keys and then either sell them on the dark web or use them to sign malware.

Others leverage vulnerabilities in a company’s software development lifecycle and build infrastructure to secretly insert malware directly into a company’s software product. Other attacks occur when an organization unknowingly incorporates malware-infested third-party software (such as open source software) into their product offering.

Even though attack techniques vary, their impact on the business attacked does not. This impact can include loss of customer trust, reputation, revenue and/or leakage of confidential customer or corporate data.

A race to a cure

Like a drug-resistant virus that continually mutates, this global pandemic requires a multifaceted approach to a preventative cure. Governments and industry associations have proposed a number of recommendations.

For example, in 2021, the U.S. government issued the United States Executive Order #14028 Improving the Nation’s Cybersecurity, which resulted in the National Institute of Standards and Technology’s (NIST’s) Software Supply Chain Security Guidance to be written. The U.S. Department of Defense also responded with Securing the Software Supply Chain Recommended Practices Guide for Developers. The U.S. Office of Management and Budget has also issued memorandum M-22-18 that “requires each Federal agency to provide security protections for both ‘information collected or maintained by or on behalf of an agency.’” This has the direct impact on providers of software to the U.S. government that attests to the security of the software and services they provide.

The United States is not alone in its responses to this growing pandemic. The European Union and its member countries, the United Kingdom, Japan and other countries are putting forth similar guidance.

A doctor’s bag of remedies

In the meantime, a variety of remedies to counter software supply chain attacks have been developed. Each has its place in detecting and preventing attacks, but rarely will one alone be sufficient. Dynamic application security testing (DAST), static application security testing (SAST), software composition analysis, secure code signing and software bills of materials (SBOMs) are just a few examples of what’s in the doctor’s bag.

In some cases, organizations take a patchwork approach to addressing software supply chain security. For example, one team may rely heavily on one technique while another in the organization may rely on something else. This lack of enterprise-wide coordination can leave the organization vulnerable to attack and even lead to a false sense of security for those responsible for enterprise security.

For example, consider code signing. This is a security technique that has been available to companies for more than 30 years. It worked well until attackers discovered they could just steal private code signing keys. Companies responded by moving code signing keys to secure storage, like hardware security modules (HSMs). But attackers circumvented this by using other schemes, like phishing, to get the access to the credentials used to access private keys. Now organizations not only have to securely store their private keys but also need to implement a secure code signing process that includes key security, role-based access and control, centralized policy definition and irrefutable logs of code signing activities.

As with a muting virus and the medical approach to using multiple treatments that evolve over time, the software industry needs to do the same to combat software supply chain attacks.

Don’t sign in the blind

DigiCert offers its customers an enterprise-hardened, secure code signing solution, DigiCert Software Trust Manager. DigiCert Software Trust Manager enables companies to centrally manage code signing across their entire enterprise, regardless of where the software team is located, what programming language or platform the team uses or the type of software that the team develops (cloud-native, embedded device, mobile apps, etc.). It has closed several of the code signing process vulnerabilities that attackers have utilized in the past, especially from the perspective of enforcing a safer code signing policy across the entire enterprise.

However, when one signs a piece of software, an assumption is made that the software being signed is free from bugs, malware and other vulnerabilities, that it hasn’t been tampered with and that the software team knows exactly what components are inside of it (which by the way, is a new regulatory requirement driving the need for SBOMs).

Our customers have told us how important software threat detection is to them and why it is important for it to be integrated into their security workflows. Furthermore, they tell us that it needs to be easily accessible for a variety of different software teams developing a wide range of software application types and should not impact software team productivity (like slowing down CI/CD pipelines).

Security teams also want a single environment to work within to prescribe enterprise-wide security policy such as code signing process policy, policy for requiring deep binary scans for threats and vulnerabilities, and the creation of comprehensive SBOMs to satisfy emerging regulatory requirements.

ReversingLabs powers DigiCert Software Trust Manager Threat Detection

Today, DigiCert is thrilled to announce a partnership with ReversingLabs, a leader in software supply chain security. This partnership enhances software security by combining advanced binary analysis and threat detection from ReversingLabs with DigiCert’s enterprise-grade secure code signing solution. DigiCert customers will benefit from improved software integrity through deep analysis that shows their software is free from known threats like malware, software ​implants​, software tampering and exposed secrets before they securely sign ​​​​it.

DigiCert has integrated technology from ReversingLabs into its new DigiCert Software Trust Manager Threat Detection.This new capability is sold and supported by DigiCert. It is integrated into DigiCert Software Trust Manager workflows, providing teams a single pane of control and visibility.

Software Trust Manager Threat Detection provides a single workflow that is centrally controlled across the organization. It also generates a comprehensive SBOM covering internally developed- and third-party software, such as open source and commercially licensed software.

As attacks on the software supply chain increases, threat detection and SBOM generation is becoming increasingly important and the focus of government and industry regulations.

Like the world’s recent experience with the COVID-19 pandemic, where a variety of tools, treatments and preventative measures were used, companies need to embrace multiple security measures to protect from software supply chain attacks. The partnership between DigiCert and ReversingLabs is an important step towards achieving this.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min