T-76 4115 06-07F-Secure Software Signing SystemOlli Salminen, Research Manager

F-Secure Research

Page 2

F-Secure Corporation

• Founded in 1988

• Anti-Virus and Intrusion Prevention solutions

• The Group's personnel numbered 454 at the end of the quarter 1 2006

• Offices in 15 countries, resellers and distributors in over 50 countries

http://www.f-secure.com

Page 3

Difficulty in Signing Process

• At the moment the signing cannot be done remotely

• When something needs to be signed, people need to come to the office

• At the moment not integrated with other signing systems

• Anti-Virus Database Updates are signed in different system

• Logging and monitoring missing

• Only a few people has rights to sign F-Secure software

• New Windows Vista will increase the amount of code that needs to be signed

Page 4

What we need

• Objective is to have automatic, reliable, secure and remotely usable software signing system. It will accept software package as input, performs various operations, adds the signature and releases the software to correct channel. The system needs to have reporting functionality to see later what was done.

• So, we need a system that

• Signs software and verifies the result

• Does it securely

• Allows remote usage of the system

• Logs the changes / results

• Allows to see later what has happened and by who

• Has a user management

• Integrates with other signing systems

Page 5

What That Might Mean?

• It might be enough just to create the system and module architecture documentation + prototype

• It also might mean the ready system which will be used in production

• Signing workflow is described here

Firewall

Developer

4. Approval

1. Submission Request

6. Virus Scan

Internet

Timestamp Server

Security Boundary

Security Boundary

Web Server

Approvers

File Server

Code SigningServer

2. File Share Creation

3. Submission Uploaded

Security Boundary

7. Logging

8. Code Signing

10. Return Signed Code

Firewall

Staging Server

Archive Server

9. Archive

Audit Server

VirusScanner

HSM

5. Transfer to Staging Server

Firewall

Page 6

What tools can be used

• We are not limiting the set of development tools, but we encourage the use of:

• Java/Hibernate/Spring,

• MySQL for the database,

• Python for scripting and

• XML-RPC as a communication tool between processes

• If the usage of these tools is not suitable for some parts of the system, different tools can also be used

Page 7

Why Would You Choose This Project?

• What we offer is:

• Challenging project that will be used in real world

• We have done T-76-4115 projects also earlier

• We know what to expect

• Good working environment

• Workstations / laptops for the development

• Good hardware for the production

• Room in Ruoholahti office

• Possibility to work also remotely

• Guidance and technical advisor

• Learn from leading edge software development professionals

• Benefits like cheap soft drinks, free coffee/tea/fruits, sauna parties, free beer…

Page 8

What Type of Persons

• We are looking for

• 5-7 energetic and ambitious persons

• With technical skills mentioned earlier

• We need developers

• Project leader with management skills

• System Architect

• Quality-minded system tester

• Fluent communication skills in English

• We expect that the project uses Agile software development methods

• Technical Advisor, Kimmo Toro, tells more about this project

Page 9

Now It Is Your Turn

• Any questions?