Skip to main content
banner image
venafi logo

Minimum CA Standards Hit Code-Signed Malware Where It Counts

Minimum CA Standards Hit Code-Signed Malware Where It Counts

January 3, 2017 | Scott Carter

With an estimated 25 Million pieces of malware enabled by code signing, it’s about time we as an industry started taking the problem seriously. The Certificate Authority Security Council has finally stepped up to the plate with its first-ever standard for code signing. The new Minimum Requirements for Code Signing for use by all Certificate Authorities (CAs) aims to improve internet security by making it easier to verify software authenticity. 

Why do we need a standard? In a recent write-up in Infoworld, Venafi VP of security strategy Kevin Bocek notes that “Stolen code-signing digital certificates are sold everyday on underground markets for more than $1,000 each.” By using these stolen legitimate code-signing certificates to sign malware, attackers can sneak malicious code past traditional security defenses. Bocek puts the problem into perspective, noting that “Code signing is critical to every mobile device and computer we touch."

Bocek notes that this is important because CAs have different rules for how they issue and revoke code signing certificates, both developers and cybercriminals could game the system. Infoworld goes on to explain why, “Without any standards in place, it was possible to get accepted one CA even after already being rejected by a different CA. The variance made it difficult to know which code-signing certificate could be trusted. With the guidance, each CA has some leeway in developing its own process for how to issue and revoke certificates, but the underlying requirements are the same from CA to CA.”

But with the new standard, the burden of security for code signing will not rest entirely with the CAs. IT admins will also play an important part in the process. To comply with the standard, IT admins will be required to prove that they are taking steps to secure private keys. If requesters do not meet minimum requirements, they will not be issued a code-signing certificate, or they may have an existing certificate revoked.

Code-signed malware is a serious problem. Without constant vigilance, it can only get worse.  "The CA Security Council guidance on code signing is long overdue," Bocek said. "New methods of certificates to detect fraud and misuse such as Certificate Reputation will also see increased adoption as misuse of code signing certificates gets more and more attention."

Read more about how the standard may impact your certificate management and security in the full Infoworld article. 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more