Skip to main content
banner image
venafi logo

Minimum CA Standards Hit Code Signed Malware Where It Counts

Minimum CA Standards Hit Code Signed Malware Where It Counts

code signed malware
January 3, 2017 | Scott Carter

With an estimated 25 Million pieces of malware enabled by code signing, it’s about time we as an industry started taking the problem seriously. The Certificate Authority Security Council has finally stepped up to the plate with its first-ever standard for code signing. The new Minimum Requirements for Code Signing for use by all Certificate Authorities (CAs) aims to improve internet security by making it easier to verify software authenticity. 

Why do we need a standard? In a recent write-up in Infoworld, Venafi VP of security strategy Kevin Bocek notes that “Stolen code-signing digital certificates are sold everyday on underground markets for more than $1,000 each.” By using these stolen legitimate code-signing certificates to sign malware, attackers can sneak malicious code past traditional security defenses. Bocek puts the problem into perspective, noting that “Code signing is critical to every mobile device and computer we touch."

Bocek notes that this is important because CAs have different rules for how they issue and revoke code signing certificates, both developers and cybercriminals could game the system. Infoworld goes on to explain why, “Without any standards in place, it was possible to get accepted one CA even after already being rejected by a different CA. The variance made it difficult to know which code-signing certificate could be trusted. With the guidance, each CA has some leeway in developing its own process for how to issue and revoke certificates, but the underlying requirements are the same from CA to CA.”

But with the new standard, the burden of security for code signing will not rest entirely with the CAs. IT admins will also play an important part in the process. To comply with the standard, IT admins will be required to prove that they are taking steps to secure private keys. If requesters do not meet minimum requirements, they will not be issued a code-signing certificate, or they may have an existing certificate revoked.

Code-signed malware is a serious problem. Without constant vigilance, it can only get worse.  "The CA Security Council guidance on code signing is long overdue," Bocek said. "New methods of certificates to detect fraud and misuse such as Certificate Reputation will also see increased adoption as misuse of code signing certificates gets more and more attention."

Read more about how the standard may impact your certificate management and security in the full Infoworld article. 

Like this blog? We think you will love this.
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more