Code Signing Risks: Hackers Are Getting Better at Stealing Code Signing Machine Identities

In today’s fast-moving digital economy, central security groups are finding it difficult to keep up with the code signing demand from developers—especially in large organizations. This lack of visibility and oversight can leave your organization exposed to attacks by cybercriminals, who take advantage of the vulnerabilities in your code signing processes to slip their malware into software that appears to be legitimate when signed.

What Is Your Code Signing Risk?

Hackers are getting better at stealing code signing machine identities. They insert their malware into legitimate software, sign it with a stolen keys and then distribute it. The malware-infected software update looks legit because it has a valid signature.

But when properly managed, code signing can stop the spread of malware. The upshot is, nearly every organization relies on code signing to confirm their code is authentic and hasn’t been corrupted with malware.

Digitally signing your IT automation scripts and macros binds your identity to the code. Users of your automation scripts or macros then can trust that the script or macro really did come from you and hasn’t been modified by a third party. This can ease concern about running unsafe code. And any changes to the script or macro made after the signature has been applied, such as insertion of a virus, will invalidate the signature, protecting your name and reputation. But code signing is only as secure as the process that your organization uses to sign code.

Identifying code signing risks

Most organizations develop software for internal use or scripts to automate critical IT operations. This means that your organization is most likely already using code signing to protect the software that you develop and use.

But most code signing activities are handled by the authors of the software rather than a centralized group, such as information security (InfoSec). In the past, InfoSec may have been the central keeper of code signing. But with digital transformation and DevOps, a central group can’t keep up with the demands from the hundreds or thousands of developers around your organization.

This lack of visibility and oversight can leave your organization exposed to attacks by cybercriminals, who take advantage of the vulnerabilities to slip their malware into software that appears to be legitimate.

A secure code signing process can help your organization avoid the many risks and resulting damage.

Even though code signing has protected businesses and consumers for decades, there has been a recent increase in cybercriminals stealing, forging, or leveraging vulnerabilities through insecure code signing processes. This exposure increases the risk that critical internal software infrastructure is compromised by hackers. And ultimately can damage the reputation of a business when malware is inserted by a third party into their software products.

How secure is your organization’s code signing process? Venafi CodeSign Protect can help you enforce security policies for code signing while actually making it easier for your developers to sign code within their desired toolsets.

Related Posts 

• How Are Cybercriminals Sneaking Past Malware Detection Tools? 
• CISA Advisory on Conti Ransomware Warns of Increased Attacks [Is Code Signing the Answer?] 
• Why Sign Code? [Hint: Prevent Access to Unauthorized Software]