CISSP Exam - Question 47

CISSP Official Study Guide - "Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer's public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals. In cases where there is a lack of code signing, users may inadvertently run inauthentic code."

Answer A) The developer is the entity responsible for writing, building, and/or submitting the code that will be signed. This entity maintains a secure development environment, including the source code repository, and will submit code to the signer after it has completed the organization’s software development and testing processes. The signer is the entity responsible for managing the keys used to sign software. This role may be performed by the same organization that developed or built the software, or by an independent party able to vouch for the source of the code. https://csrc.nist.gov/files/pubs/shared/itlb/itlbul2018-05.pdf

think like a manager... the developer signing the code may switch his job...thus it is the Organization's responsibility to sign the code. A is correct

I think C. reasons below: in software development, the 'source code' is signed by the developer: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits in software distribution, the organisation would sign their 'software'. e.g. Nvidia would 'release sign' their drivers for the public download: https://learn.microsoft.com/en-us/windows-hardware/drivers/install/release-signing

I am flabbergasted that people have chosen something other than A

n software development, the entity that normally signs the code to protect the code integrity is option C: The developer. Code signing is a process in which a digital signature is applied to software code to verify its authenticity and integrity. The digital signature is created using a private key owned by the developer. By signing the code, the developer provides assurance that the code has not been tampered with and originates from a trusted source.

I think the company is the right answer cause what if you have more than one developer working on the code?

it will conflict of interest if developer sign the code

When you guys install a driver. Is it signed by Joe Whoever or is it signed by the company? You want uniformity in things like this, and any dev shouldn't be able to just sign anything the company puts out.

From the OCG v9 - The developer signing the code does so using a private key, whereas the corresponding public key is included in a digital certificate that is distributed with the application. Users who download the application receive a copy of the certificate bundled with it and their system extracts the public key and uses it in the signature verification process. Yes, it is written "the developer", but I think it means "the developer company", not the individual. If the key is incuded in the digital certificate - the certificate is obviouusly issued for the company.

The developer is usually the responsible person for digitally signing the code of the developed software using a code-signing certificate ... it's just the digital signature may have the organization's information embedded on the signature for companies and developers;'s information for solo publisher persons. https://signmycode.com/resources/code-signing-architecture-how-does-it-work

Of these Developer is the most accurate and used to be true but now it is really the Build or DevOps process that signs, and then it can go to media or deployed to environments as a signed artifact.

Its Organization responsibility to protect the data be NDA from individual of Developer and implement the Due care to protect the data.

Code signing is a security measure that involves digitally signing the code with a cryptographic signature that verifies the identity of the code author and ensures that the code has not been tampered with or altered since it was signed. This helps to protect users from running malicious or unauthorized code. In most cases, the developer signs the code using a private key, which is kept secure and only accessible to authorized personnel. The organization developing the code (Option A) may also be involved in managing the signing process and ensuring that the code meets the organization's security and quality standards. However, the actual act of signing the code is typically performed by the developer.

Integrity = OEM

OSG, pag. 1029. Code Signing Code signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key, and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.

If A is not there, then I would vote for C. But A is here, then obviously the code belongs to the company, but not individuals. We have all signed a document clarifying this point with us as employees, right?