Code Signing vs Code Hashing

Once you’ve made sure that your application has been written in a secure manner you have one last step to occur. You need to ensure that the Application that is located in the Production environment is the one that you have approved. In other words, you need a mechanism to ensure that Applications aren’t changed without going through a proper Change Mgmt process. That process would be Code Signing

I’ve come to believe that there are actually two types of Code Signing that people refer to when they talk about Code Assurance. In one case, they are talking about Code Signing where applications that are distributed from a single location have a certificate associated with them in order to prove to the receiving Workstation of the Application that it is coming from a certified source. The second type is when a Hash is taken of an Application and then the Hash is stored in a secure location to compare against the approved Application in the case of an Audit. It’s this second one that is important for all Applications and I will refer to this one as Code Hashing.

Think of Code Hashing this way. You’ve gone through the SDL and done all the work needed to create an Application without vulnerabilities. You move the Application into the production environment and then a Developer thinks of a possible change to the Application that might improve it. It’s only a small change, so what’s the harm? Well, that small change may create a large hole. If you have hashed the Application and then you check the Application Hash on a regular basis against the Production Application, you will know if the approved Application is what is sitting in the Production environment.

This gives you a higher level of assurance that the Application is what has been approved than Code Signing. All Code Signing does is say to the receiver of an Application that the Application came from an approved source. It doesn’t say whether the Application was checked for security and whether controls were in place to prevent changes to the Application outside the Change Control processes. So, in short, Code Hashing is needed for all production applications where as Code Signing is needed for Applications that are passed from one location to another.

If you were to look for a Code Hashing tool, look for something that simply hashes files. Don’t get Code Hashing tools confused with Code Signing tools. One such tool that you could use is MD5Deep. You can find this tool at Sourceforge at the URL http://md5deep.sourceforge.net/ . But look for a Hashing tool used by some sort of authoritative source. The reason why I mention MD5Deep is that is a Hashing tool created by the US Airforce.

Anyway, one last step that I highly recommend that you do prior to putting an Application into production is to create a Hash of it and ensure that it is stored in a secure location with auditable processes that are used for access it. This way you finish off the SDL with a last step of assurance.

Neil R.

Posted at 04:51 PM  Permalink