How do you Create and Enforce an Effective Code Signing Policy? Write an Internal Code Signing Policy Guide
As the need for mature signing requirements increases, organizations and development teams must craft and operate robust signing policies and processes to protect software. By creating and documenting a formal policy for signing code, you enable your developers and engineers to follow the best practices necessary for securing the software you build.
What Should I Include in my Code Signing Policy Guide?
Effective code signing policies include guidelines and procedures for issuance and use of code signing keys, including on matters like these:
When establishing management protocols, set controls and procedures for who can issue keys and when. Team members should know when it is appropriate to issue keys, according to their role. Manage which types of keys are issued, as well as the attributes associated with them. This helps avoid issuing new keys with weak algorithms that introduce attack vectors.
Set controls and procedures for user roles. Who manages keys? How is key management divided according to role within the team, organization, or stage of production? These procedures should include location tracking for all keys throughout the organization.
Keys must be protected. Set controls and procedures for key storage while in use and not in use. This should include HSMs, tokens, USBs, and key access using multi-factor authentication. Team members must know how to avoid losing or improperly storing keys.
Team members should know who has permission to sign, and when it is appropriate to sign. They should also know when signing permission is not granted and how to request signing if permission is not a part of their role.
How keys are used, or not used, is a crucial part of correct signing procedures. Keys should be used at the right time by the right people.
Preventing Key Sharing
Key sharing is a common practice. It is also one of the most dangerous practices. Team members should never share keys, even inside repositories or internal servers, systems, and networks. Keys should be uniquely issued, controlled, and stored by the appropriate individual, according to their role.
Code and software signing should never be treated like an afterthought or a tedious compliance step. Every CI/CD pipeline should include CS—Continuous Signing—so code security is practiced correctly and consistently.
For a comprehensive explanation of how to write an internal code signing policy, read our guide here.