Skip to main content
banner image
venafi logo

Code Signing Risks: Hackers Are Getting Better at Stealing Code Signing Machine Identities

Code Signing Risks: Hackers Are Getting Better at Stealing Code Signing Machine Identities

code-signing-risks-hackers-steal-code-signing-machine-identities
December 1, 2021 | Brooke Crothers

In today’s fast-moving digital economy, central security groups are finding it difficult to keep up with the code signing demand from developers—especially in large organizations. This lack of visibility and oversight can leave your organization exposed to attacks by cybercriminals, who take advantage of the vulnerabilities in your code signing processes to slip their malware into software that appears to be legitimate when signed.

 

How much do you know about code signing keys and certificates? Read our Dummies Guide.
">
What Is Your Code Signing Risk?

Hackers are getting better at stealing code signing machine identities. They insert their malware into legitimate software, sign it with a stolen keys and then distribute it. The malware-infected software update looks legit because it has a valid signature.

But when properly managed, code signing can stop the spread of malware. The upshot is, nearly every organization relies on code signing to confirm their code is authentic and hasn’t been corrupted with malware.

Digitally signing your IT automation scripts and macros binds your identity to the code. Users of your automation scripts or macros then can trust that the script or macro really did come from you and hasn’t been modified by a third party. This can ease concern about running unsafe code. And any changes to the script or macro made after the signature has been applied, such as insertion of a virus, will invalidate the signature, protecting your name and reputation. But code signing is only as secure as the process that your organization uses to sign code.

Identifying code signing risks

Most organizations develop software for internal use or scripts to automate critical IT operations. This means that your organization is most likely already using code signing to protect the software that you develop and use.

But most code signing activities are handled by the authors of the software rather than a centralized group, such as information security (InfoSec). In the past, InfoSec may have been the central keeper of code signing. But with digital transformation and DevOps, a central group can’t keep up with the demands from the hundreds or thousands of developers around your organization.

This lack of visibility and oversight can leave your organization exposed to attacks by cybercriminals, who take advantage of the vulnerabilities to slip their malware into software that appears to be legitimate.

A secure code signing process can help your organization avoid the many risks and resulting damage.

Even though code signing has protected businesses and consumers for decades, there has been a recent increase in cybercriminals stealing, forging, or leveraging vulnerabilities through insecure code signing processes. This exposure increases the risk that critical internal software infrastructure is compromised by hackers. And ultimately can damage the reputation of a business when malware is inserted by a third party into their software products.

How secure is your organization’s code signing process? Venafi CodeSign Protect can help you enforce security policies for code signing while actually making it easier for your developers to sign code within their desired toolsets.

Related Posts 

Like this blog? We think you will love this.
difference-between-public-and-private-keys
Featured Blog

What Is the Difference Between a Public Key and a Private Key?

Symmetric and asymmetric encryption

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more