Code Signing 07-23-2021

Putting the White House Cybersecurity Executive Order Vision Into Action

DigiCert

Ransomware attacks have been all over the headlines in recent weeks, putting a new spotlight on the need for cybersecurity. Shortly after a ransomware attack disabled a major fuel pipeline supporting the East Coast, U.S. President Joe Biden signed an executive order (EO) focused on improving the nation’s cybersecurity.

The new EO is targeted at federal departments and agencies, and federal contractors, but its impact is expected to reach far and wide across critical infrastructure sectors and the technology companies that support them. In fact, the order encourages businesses to follow the federal government’s lead to build up their cybersecurity investments and better protect their organizations.

Highlights of the new directive include a move to modernized cybersecurity, strengthening software security and a new Cybersecurity Safety Review Board. Read on for a breakdown of each change and what it means for any organization that is interested in keeping its users and data safe — in other words, most everyone.

Toward tougher, modernized cybersecurity

A major pillar in the new EO calls for modernizing and implementing stronger cybersecurity standards. Its aim is to help the Federal government move to more secure cloud services and a zero-trust architecture. The order also mandates deployment of multifactor authentication, as well as encryption with a specific time period.

Obviously, encryption is one aspect of the EO where PKI solutions can help ensure the high level of trust required. PKI is proven, flexible and widely adopted across many different industries and use cases. It’s great for securing not only websites, but also networks, email, devices, documents and even individual users. IT and security are comfortable with PKI because it lets them issue and manage encryption and authentication certificates in the cloud, on-prem or in hybrid environments.

PKI can also contribute to supporting the zero-trust architecture. Zero-trust is based on the mantra “never trust, always verify.” It centers around the idea that no organization should ever automatically trust devices or users based only on their physical or network location — or who owns the device. Whether it’s an IoT device like a healthcare IV pump or a remote employee logging into the company network, every connection needs to be verified.

For example, in a healthcare environment, caregivers need to be sure they can trust all of the IoT devices that are connecting to their environments, as well as the online services and apps they need to serve patients. PKI can help establish the identity of these essential IoT devices, assuming the provider has a proper, valid certificate in place. It can also help organizations protect sensitive healthcare data through encryption, whether the data is in transit or at rest. Although PKI may not cover every single aspect of a zero-trust environment, it does provide a strong foundation for the authentication and trust that’s required.

Strengthening software security

The new EO also provided some strong direction to improve the security of software and the supply chain itself. It sets up baseline security standards for development of software sold to the government, including requirements for improved visibility into software, and making security data publicly available. This part of the order recognizes that too much software is shipped with vulnerabilities that bad actors can exploit.

Securing software isn’t easy in fast-paced DevOps-driven organizations. Most workflows are all about maintaining continual development and pushing deliverables out, rather than security by design. Fortunately, when implemented the right way, best practices like code signing can help companies bake security into each stage of the development process. Applying digitally signed code and containers throughout the Continuous Integration/Continuous Delivery (CI/CD) pipeline lets organizations take control of development and confirm the integrity of code before it moves further along in the development cycle and out to production environments and customers.

Equally important is ensuring private keys are protected, not shared or reused too many times across all signing activities, and that they are stored securely within an on-premise or cloud HSM. The right PKI management platform can help developers access the keys during signing events, but store them securely offline otherwise, while providing security teams with granular audit trails and reporting mechanisms. The right platform can also incorporate process improvements such as consensus-based approvals before code is signed and shipped, as well as auditing to look for anomalies in signing activities. DigiCert Secure Software Manager is a modern way of managing code signing by enabling automated security across CI/CD pipelines with portable, flexible deployment models, continuous signing and secure key management.

But what about organizations using open-source libraries where the integrity of code is more difficult to track? To get comprehensive visibility into the security of code, it is becoming increasingly important to establish a software bill of materials (SWBOM). A complete list of the all the components that make up a software application, including version numbers, software patches and upgrades, and any open-source elements, can enable developers and manufacturers to apply security to meet today’s DevOps and IoT challenges.

An SWBOM can strengthen not only software development processes, but the entire manufacturing supply chain. Today, many chips embedded in devices come with software baked on, and manufacturers may have no idea where it comes from. As devices and components become more sophisticated, tracking the myriad bits of code that can wind up inside a device is becoming extremely difficult. The new EO encourages developers and manufacturers in the IoT space to gain deeper insight into what’s on their devices. If a breach or software issue should occur, an SWBOM can improve their ability to determine whether the code in question has been deployed to customer environments — and provide the first steps toward a remediation strategy. Ideally, these SWBOM files should be digitally signed to provide proof of manipulation. This will make the SWBOM trustworthy.

Establishing a Cybersecurity Safety Review Board

Another strong recommendation of the EO is the establishment of a Cybersecurity Safety Review Board composed of private sector and government leaders. Like the National Transportation Safety Board, this team would assemble after a major incident to analyze what happened and make recommendations for improving cybersecurity.

This review board is an excellent example of how the federal government can partner with industry leaders to drive positive change. All too often, individual organizations will fail to fully investigate cybersecurity incidents. Instead of taking stock of what lessons they’ve learned, they may move on too quickly and wind up repeating the same mistakes. The EO not only sets up a deeper investigation of major incidents, but also encourages the kind of information sharing that industries need to understand and respond to new threats faster — and minimize the damage they can cause.

People rarely agree on anything in Washington, but the new cybersecurity EO demonstrates that there’s plenty of common ground when it comes to protecting people, devices, supply chains and networks from malicious cyber-attacks. At DigiCert, we’ll continue to drive innovation to help our customers ensure that their data and operations remain trusted, safe and secure.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

12-04-2024

How artificial intelligence is reshaping digital trust

12-18-2024

Announcing the new open-source DCV library from DigiCert

How to spot a fraudulent website