Skip to main content
banner image
venafi logo

Code Signing Credentials Are Machine Identities and Need to Be Protected

Code Signing Credentials Are Machine Identities and Need to Be Protected

code signing, private keys, pki
June 20, 2019 | Eddie Glenn


The world is experiencing a digital transformation that is eclipsing all previous technological advancements. As more IT workloads move to the cloud, and as more IT services are containerized, they all need to be authenticated using cryptographic keys and digital certificates, or machine identities. Given the pace and scale of this new world of machines, protecting those machine identities is becoming increasingly critical to security. Although these changes affect every business, many organizations use outdated methods to protect the exponentially rising number of machine identities they now require. Those approaches simply can’t keep up.



How does this impact the security of code? There are many types of machine identities—TLS, SSH, mobile and more—that are used on many types of machines. When you look at it in this light, code is the ultimate ‘machine’ that requires an authorized identity so that we can trust it. That is precisely why machine identities are so critical to the code signing process.

When signed with a valid code signing certificate (or machine identity), computers implicitly ‘trust’ the code’s machine identity and then unconditionally run it. The valid code signature indicates that the code comes from the trusted source that signed it and has not been modified by a third party. When this process is compromised, what better way for cybercriminals to sneak in their own malware-ridden code and appear to be legitimate?

When properly protected, code signing is an effective tool to stop the spread of malware. However, code signing is one such area where outdated and unsecure methods continue to be used to protect the keys and certificates that serve as the code’s machine identities. And these outdated methods continue to fail businesses as a recent Venafi blog reported that over 25 million malicious binaries have been signed with stolen private keys.

Earlier this year, Kaspersky reported that Operation ShadowHammer used vulnerable code signing private keys to infect over a million ASUS computers with malware.

Even with these high-profile incidents of attacks using unprotected code signing credentials, Venafi recently polled 320 security professionals in the US, Canada, and Europe to learn more about their code signing security practices. The study found that although respondents understand the risk of code signing, they are not taking proper steps to protect this type of machine identity. This survey showed that only 28% of businesses consistently enforce a defined security process for code signing certificates. In Europe, that number is much lower, with only 14% reporting that the consistently enforce defined security policies.

Looking forward, the situation will potentially get worse before it gets better. 69% of the same companies expected their usage of code signing to grow in the next year (not surprising as more businesses experience digital transformation).

Individual development teams continue to be largely responsible for managing their code signing credentials and process. These teams often do not have expertise in PKI or managing machine identities. As such, these developers often do not appreciate the significant risks they are creating for their companies should code signing credentials be misused.

Clearly, a new approach is needed to protect code signing machine identities. This new approach requires collaboration between InfoSec and the development community. Implementing or expanding a machine identity management program requires that organizations address complex technology, people, process and communication challenges. In addition to assessing the technical merits of each solution, they must also consider the merits of each solution provider as a potential strategic partner. A decision process that focuses exclusively on technology ignores the interrelated challenges that every successful machine identity program must address.



Related posts

Like this blog? We think you will love this.
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Eddie Glenn
Eddie Glenn

Eddie is the Product Marketing Manager over Code Signing at Venafi. A product marketing professional in SaaS, Enterprise, and Embedded Software, he has a strong technical background and experience with inbound and outbound marketing, business and marketing strategy, and marketing operations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more