DevSecOps Overview - Code Signing ()
DevSecOps Overview - Code Signing
Author Rob Campbell
Version 1.01
Last Update 29/04/2020
Certificate Management API's
Certificate Validation
Signing Request
Signature Validation
Certificate Request
Deployment
Container/VM Orchestration
Signature Validation - Deployment
Infrastructure Team - Deployment
HSM
Keys - Container/VM Orchestration
Container Management
Signature Validation - Container Management
Container/Hypervisor Platform
Container/VM Registry
Infrastucture Team - Container Management
Certificate Validation - Container Management
Local Sign - Container Management
HSM
Keys - Container Hypervisor
Keys - Container/VM Registry
Certificate - Container Hypervisor
Container Images
Container/VM Image (inc Signature)
External Sources
Pre Packaged App (inc signature)
Pre Packaged Container (inc signature)
Internal Sources
Built Package (inc signature)
Build
Build Tool
Signature Validation - Build
Source Code Control
Infrastructure Team - Build
Certificate Validation - Build
Local Sign - Build
Build Product
Built Package
Signature with Timestamp
Certificate - Source Code Control
Certificate - Build Tool
HSM
Keys - Source Code Control
Keys - Build Tool
Development
Integrated Development Environment (IDE)
Software Objects
Build Scripts
Test Code
3rd Party Packages
Source Code
Signature with Timestamp
Signature Validation - IDE
Local Sign - IDE
Infrastructure Support
Developers
Certificate Validation - IDE
Reject Code
Certificate - Developer
Crypto Key Storage
Keys - Developer
Pre Production Nodes
Deployment Target (POD)
Production Nodes
Deployment Target
Inputs - Internal and 3rd Party
Software Objects
Build Scripts
Test Code
3rd Party Packages
Source Code
Prevent unknown and unauthorised software from entering the development lifecycle
Code of a known quality and source is used within production deployments
All Code entering production is signed with Organisation Certificate
All code can be traced back to the developer
All Developers are issued with a certificate to be used for signing
All code downloaded from approved sources has a valid trusted certificate.
All code from Untrusted sources are prevented from being used within the development process
Untrusted code is reviewed and tested before being signed
All Container images are signed before submission to the Container Registry
Signatures are validated at every step in the development lifecycle
Any change to trusted (signed) code invalidates the signature and marks the code as untrusted until the code has been retested and signed with a new signature.
All signatures must utilise timestamps to prevent code becoming untrusted due to certificate expiration
Public Key Infrastructure
Hardware Security Model
Certificate Authority
Directory
Certificate Revocation List (CRL)
Create Certificate
Revoke Certifcate
Issue Certificate
Validate Certificate
Sign certificate
Time Server
Time Stamp Authority
Identity Verification
Developer Certificate Request
Component Signing Certificate Request
Revoke Developer Certificate
Revoke Component Certificate
Security
Deploy Signing Certificate
Certificate Management API's Certificate Validation
Certificate Management API's Signing Request
Certificate Management API's Signature Validation
Certificate Management API's Certificate Request
Container/VM Orchestration Deployment Target (POD)
Container/VM Orchestration Deployment Target
Container/VM Orchestration Signature Validation - Deployment
Infrastructure Team - Deployment Component Signing Certificate Request
Infrastructure Team - Deployment Deploy Signing Certificate
HSM Keys - Container/VM Orchestration
HSM Container/VM Orchestration
Container/Hypervisor Platform Container/VM Registry
Container/Hypervisor Platform Signature Validation - Container Management
Container/Hypervisor Platform Certificate - Container Hypervisor
Container/Hypervisor Platform Certificate Validation - Container Management
Container/VM Registry Container/VM Orchestration
Container/VM Registry Signature Validation - Container Management
Container/VM Registry Local Sign - Container Management
Container/VM Registry Container/Hypervisor Platform
Container/VM Registry Certificate Validation - Container Management
Infrastucture Team - Container Management Component Signing Certificate Request
Infrastucture Team - Container Management Deploy Signing Certificate
HSM Keys - Container Hypervisor
HSM Container/Hypervisor Platform
HSM Keys - Container/VM Registry
HSM Container/VM Registry
Container Images Container/VM Image (inc Signature)
Container Images Container/VM Registry
External Sources Pre Packaged App (inc signature)
External Sources Pre Packaged Container (inc signature)
External Sources Container/Hypervisor Platform
Internal Sources Built Package (inc signature)
Internal Sources Container/Hypervisor Platform
Build Tool Signature Validation - Build
Build Tool Local Sign - Build
Build Tool Certificate Validation - Build
Build Tool Certificate - Build Tool
Build Tool Build Product
Source Code Control Signature Validation - Build
Source Code Control Build Tool
Source Code Control Certificate Validation - Build
Source Code Control Certificate - Source Code Control
Infrastructure Team - Build Component Signing Certificate Request
Infrastructure Team - Build Deploy Signing Certificate
Build Product Built Package
Build Product Signature with Timestamp
Build Product Container/Hypervisor Platform
Built Package Signature with Timestamp
HSM Keys - Source Code Control
HSM Source Code Control
HSM Keys - Build Tool
Integrated Development Environment (IDE) Signature Validation - IDE
Integrated Development Environment (IDE) Certificate Validation - IDE
Integrated Development Environment (IDE) Local Sign - IDE
Integrated Development Environment (IDE) Reject Code
Integrated Development Environment (IDE) Software Objects
Integrated Development Environment (IDE) Certificate - Developer
Software Objects Source Code
Software Objects 3rd Party Packages
Software Objects Test Code
Software Objects Build Scripts
Software Objects Signature with Timestamp
Software Objects Source Code Control
Build Scripts Signature with Timestamp
Test Code Signature with Timestamp
3rd Party Packages Signature with Timestamp
Source Code Signature with Timestamp
Infrastructure Support Component Signing Certificate Request
Infrastructure Support Deploy Signing Certificate
Developers Developer Certificate Request
Developers Certificate - Developer
Developers Deploy Signing Certificate
Crypto Key Storage Keys - Developer
Crypto Key Storage Integrated Development Environment (IDE)
Pre Production Nodes Deployment Target (POD)
Production Nodes Deployment Target
Software Objects Build Scripts
Software Objects Test Code
Software Objects 3rd Party Packages
Software Objects Source Code
Public Key Infrastructure Hardware Security Model
Public Key Infrastructure Certificate Authority
Public Key Infrastructure Directory
Public Key Infrastructure Certificate Revocation List (CRL)
Public Key Infrastructure Create Certificate
Public Key Infrastructure Revoke Certifcate
Public Key Infrastructure Issue Certificate
Public Key Infrastructure Validate Certificate
Public Key Infrastructure Time Server
Public Key Infrastructure Time Stamp Authority
Public Key Infrastructure Identity Verification
Sign certificate Public Key Infrastructure
Security Revoke Developer Certificate
Security Revoke Component Certificate