BS ISO-IEC 17960-2015 pdf free download – Information technology — Programming languages, their environments and system software interfaces — Code signing for source code.
5 Concepts
This clause provides an overview of the concepts of code signing.
Code signing is a technique for providing a digital signature for source code to support a verification of the originator and a verification that the code has not been altered since it was signed.
Code signing can provide several valuable functions such as:
— knowledge of the history of the source code
— confidence that the source code has not been accidentally or maliciously altered
— verification of the identity of the responsible party for the source code
— accountability for the source code
— non-repudiation of the originator of the source code
Code signing identifies to customers the responsible party for the source code and confirms that it has not been modified since the signature was applied. Verification of the originator of the source code of the software is extremely important since the security and integrity of the receiving systems can be compromised by faulty or malicious code. In addition to protecting the security and integrity of the software, code signing provides authentication of the author, originator or distributor of the source code, and protects the brand and the intellectual property of the developer of the software by making applications uniquely identifiable and more difficult to falsify or alter maliciously.
When source code is associated with an originator’s unique signature, distributing source code on the Internet is no longer an anonymous activity. Digital signatures ensure accountability, just as a manufacturer’s brand name ensures accountability with packaged software. Distributions on the Internet lack this accountability and code signing provides a means to offer the needed accountability. Accountability can be a strong deterrent to the distribution of harmful code. Even though software may be acquired or distributed from an untrusted site or a site that is unfamiliar, the fact that it is signed by a known and trusted entity allows the software to be used with confidence that it has not been changed as compared to the most recently signed version.
In addition to the valuable functions that code signing offers, this International Standard will specifically facilitate the following capabilities:
— a mechanism to show what has been altered in the source code and the responsible party for such changes;
— multiple signatures to allow for an audit trail of the signed source code;
— versioning information;
— storage of other metadata about the source code.
The capability for a tracking mechanism and multiple signatures for one piece of source code is needed in some cases in order to create a digital trail through the history of the source code. Consider a signed piece of source code. Someone should be able to modify a portion of the source code, even if just one line or even one character, without assuming responsibility for the remainder of the source code. A recipient of the source code should be able to identify the responsible party for each portion of the source code. For instance, a very trustworthy company A produces source code for a driver. Company B modifies company A’s source code for a particular use. Company B is not as trusted or has an unknown reputation. The recipient should be able to determine exactly what part of the source code originated with company A and what was added or altered by company B so as to be able to concentrate their evaluation on the sections of source code that company B either added or altered. This necessitates a means to keep track of the modifications made from one signed version to the next.BS ISO-IEC 17960 pdf download.