Code Signing Credentials Are Machine Identities and Need to Be Protected

The world is experiencing a digital transformation that is eclipsing all previous technological advancements. As more IT workloads move to the cloud, and as more IT services are containerized, they all need to be authenticated using cryptographic keys and digital certificates, or machine identities. Given the pace and scale of this new world of machines, protecting those machine identities is becoming increasingly critical to security. Although these changes affect every business, many organizations use outdated methods to protect the exponentially rising number of machine identities they now require. Those approaches simply can’t keep up.

How does this impact the security of code? There are many types of machine identities — TLS, SSH, mobile and more — that are used on many types of machines. When you look at it in this light, code is the ultimate “machine” that requires an authorized identity so that we can trust it. That is precisely why machine identities are so critical to the code signing process.

When signed with a valid code signing certificate (or machine identity), computers implicitly trust the code’s machine identity and then unconditionally run it. The valid code signature indicates that the code comes from the trusted source that signed it and has not been modified by a third party. When this process is compromised, what better way for cybercriminals to sneak in their own malware-ridden code and appear to be legitimate?

When properly protected, code signing is an effective tool to stop the spread of malware. However, code signing is one such area where outdated and insecure methods continue to be used to protect the keys and certificates that serve as the code’s machine identities. These outdated methods continue to fail businesses as a recent Venafi blog reported that over 25 million malicious binaries have been signed with stolen private keys.

Earlier this year, Kaspersky reported that Operation ShadowHammer used vulnerable code signing private keys to infect over a million ASUS computers with malware.

Even with these high-profile incidents of attacks using unprotected code signing credentials, Venafi recently polled 320 security professionals in the US, Canada, and Europe to learn more about their code signing security practices. The study found that although respondents understand the risk of code signing, they are not taking proper steps to protect this type of machine identity. This survey showed that only 28% of businesses consistently enforce a defined security process for code signing certificates. In Europe, that number is much lower, with only 14% reporting that the consistently enforce defined security policies.

Looking forward, the situation will potentially get worse before it gets better. 69% of the same companies expected their usage of code signing to grow in the next year (not surprising, as more businesses experience digital transformation).

Individual development teams continue to be largely responsible for managing their code signing credentials and processes. These teams often do not have expertise in PKI or protecting machine identities. As such, these developers often do not appreciate the significant risks they are creating for their companies, should code signing credentials be misused.

Clearly, a new approach is needed to protect code signing machine identities. This new approach requires collaboration between InfoSec and the development community. Implementing or expanding a machine identity protection program requires that organizations address complex technology, people, process and communication challenges. In addition to assessing the technical merits of each solution, they must also consider the merits of each solution provider as a potential strategic partner. A decision process that focuses exclusively on technology ignores the interrelated challenges that every successful machine identity program must address.

This UrIoTNews article is syndicated fromDzone