The protection of software requires a strong security posture in the Software Development Lifecycle (SDLC). Implementing standard security controls (SAST, SCA, DAST, etc.) is an instrumental step to produce secure software but is not enough. While these security controls are key security components, even with well-secured software, attackers can embed malicious code in software without anti-tampering protection. Having anti-tampering coverage requires software producers to perform an attestation that no one has modified in any way the software produced through the SDLC. A more perfect attestation involves the use of code signing.
In the White Paper “Code Signing”, the ND-ISAC Application Security Working Group presents the unique challenges and risks surrounding the protection of applications once they are built, and the code signing strategies needed to protect the software against tampering activities used by attackers. The paper introduces the importance of anti-tampering protections in software to minimize the risk of software weaponization and enable the detection of potentially malicious code embedded when the attestation seal is broken. The white paper covers four key areas of code signing:
- Strategies available to sign code
- How to integrate Code Signing in a DevOps pipeline
- Considerations for signing cloud applications
- Meeting compliance requirements
The audience of this white paper includes security engineers, software engineers, cloud architects, and product managers responsible for securing software used by end users.”
Download the White Paper: https://ndisac.org/wp-content/uploads/2024/07/ND-ISAC-Code-Signing-Final.pdf
For more information, collaboration on future releases, or if you are interested in becoming a member of ND-ISAC contact: info@ndisac.org