Code signing plays an important role in all businesses to verify the integrity of software used or distributed by an organization. Code signing has been around for decades; it’s widely used to guarantee that code is authentic and has not been corrupted.
However, because code signing credentials generate such high levels of trustworthiness, they are a highly valuable target for cybercriminals. When signed with a legitimate certificate, malware does not trigger any warnings, and unsuspecting users will trust that the application is safe to install and use.
Just look at the recent case where cybercriminals modified the ASUS Live Update Utility to deliver a backdoor to approximately one million people. How did cybercriminals gain access to such critical business resources? Organizations often leave their code signing credentials unprotected.
This makes it relatively easy for cybercriminals to steal these credentials and use them in their attacks.
But let’s be clear. This is not a problem with code signing itself. Code signing remains a highly valuable function within any software company. The problem lies with an unsecured process that is being used to sign code. Most organizations call it a day once the code is signed and simply aren’t doing enough to protect code signing keys and certificates they use to do so. Even worse, they don’t have workflows that limit the use of codes signing credentials to a list of authorized personnel.
Right about now, you may be wondering if your organization is doing enough to protect code signing certificates. Answer these five questions about your code signing activities to figure out if your organization may have code signing problem:
Got strong policies? Does your company have a code signing policy that defines where private keys are stored, who has access to those private keys, and who needs to approve the use of those keys?
How much control do you have? Does your company enforce its code signing policy across all software development teams — whether they are developing internal-only software or software that will be distributed to customers and other third parties?
Can you locate code signing certificates? Does your company have a complete inventory of ALL code signing certificates that are being used across the entire enterprise — no matter where they are stored or which certificate authority they came from? If you found malware on the internet signed by your company’s code signing certificate, do you know where to start looking for the source of the breach?
Is your process too slow? Does your company have a slow, labor-intensive process for handling code signing operations? If so, do you find your development teams trying to circumvent it (or do you suspect that some are)?
Are you using code signing everywhere you should? Does your company limit the code that it signs because development teams can’t manage code signing certificates themselves or don’t have the bandwidth?
If you answered yes to one or more of these questions, then you probably have a problem with your code signing process. If you answered yes to four or five of these questions, then you have a severe code signing process problem, and you should act immediately.
Where should you start? As the person responsible for protecting critical business assets, such as code signing certificates and keys, you should start by understanding the following information about your code signing certificates:
How many code signing certificates your company is using.
Where all the private keys for code signing are stored.
How secure your code signing private keys are.
Who is authorized to use your code signing credentials.
If software development teams are signing code that you’re not aware of.
Armed with this information, you will be ready to put strong processes in place. But you probably can’t take this on single-handedly. To help mitigate weaknesses in your code signing process, you will need to implement solutions that give you visibility, intelligence, and automation control over code signing for your entire enterprise.
How secure are your code signing certificates?