A sidewalk depiction of IBM's Peace, Love, and Linux advertising campaign in 2001. The Linux Foundation is launching "sigstore," a free-to-use software signing certificate authority open to all developers. ("Peace, Love, and Linux" by kino-eye is licensed under CC BY-NC-SA 2.0)The Linux Foundation is launching "sigstore," a free-to-use software signing certificate authority open to all developers.Code signing cryptographically authenticates that software has not been tampered with before installation. It can be a valuable tool to prevent hackers from co-opting patching systems or software distribution to deliver malware.But it can be a difficult feature for open source software producers to leverage, given the complexities of the process and key management.
The sigstore project opens with Google, Purdue University and Red Hat as founding members. The announcement comes less after a month after Google announced that it was underwriting two Linux kernel security positions through the Linux Foundation.The "sigstore aims to make all releases of open source software verifiable, and easy for users to actually verify. I'm hoping we can make this easy as exiting vim," said Dan Lorenc of Google's Open Source Security Team, joking about the tough-to-quit text editor. "Watching this take shape in the open has been fun. It's great to see sigstore in a stable home."sigstore comes as more organizations begin to think critically about third party risk, particularly after the SolarWinds hackers coopted the update system to breach downstream users. That said, it's worth noting that in SolarWinds, malware was inserted into updates early enough in the process that code signing would not have caught the problem.Still, the founding members of sigstore believe the project can drastically change the environment for software authentication.“We are happy to host and contribute to work that enables software maintainers and consumers alike to more easily manage their open source software and security," said Mike Dolan, senior vice president and general manager of projects for the Linux Foundation, in a statement.
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.
In a recent webcast, Fastly experts discussed the challenges of security testing in DevOps and discussed a Web Application Firewall (WAF) simulator designed to help teams more effectively integrate security testing into development processes.
This proactive strategy integrates security across every phase of the software development lifecycle, helping detect vulnerabilities early, reduce attack surfaces, and meet regulatory standards like GDPR and HIPAA.
Makers of IoT and embedded devices are about to face stringent regulations around firmware development, documentation and support. Here's why they'll need automation to keep up.
