Skip to main content
banner image
venafi logo

Study: How Well Are You Protecting Code Signing Certificates?

Study: How Well Are You Protecting Code Signing Certificates?

code signing certificates, Code Signing, Stuxnet, ShadowHammer
June 17, 2019 | Eva Hanscom


Code signing processes are used to secure and assure the authenticity of software updates for a wide range of software products, including firmware, operating systems, mobile and cloud applications and application container images.
 

However, over 25 million malicious binaries are enabled with code signing certificates so it’s clear that cyber criminals are gaining access to private keys and allowing them to misuse these certificates in their attacks. For example, security researchers recently discovered bad actors hiding malware in anti-virus tools by signing uploads with valid code signing certificates.

 

How valuable are code signing certificates on the dark web? Find out.

 

“Code signing keys and certificates serve as machine identities to authenticate all kinds of code so when they fall into the hands of attackers, they can be used to inflict enormous damage,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “Secure code signing processes enable apps, updates, and open source software to run safely, but if they’re not protected attackers can turn them into powerful cyber weapons. Code signing certificate misuse was the key reason Stuxnet and ShadowHammer were so successful.”

Code signing keys and certificates are crucial security assets, but are organizations taking the proper steps to protect them? To find out, Venafi recently polled 320 security professionals in the U.S., Canada and Europe to learn more about their code signing security practices. The study found that although respondents understand the risks of code signing, they are not taking proper steps to protect this type of machine identities.

For example, according to the study, only 28 percent of organizations consistently enforce a defined security process for code signing certificates.
 



“The reality is that every organization is now in the software development business, from banks to retailers to manufacturer,” continued Bocek. If you’re building code, deploying containers, or running in the cloud, you need to get serious about the security of your code signing processes to protect your business.”

 

Additional findings from the study include:

Fifty percent are concerned cyber criminals are using forged or stolen code signing certificates to breach the security of their organizations.

 


Globally, only 29 percent consistently enforce code signing security policies, and this problem is much more acute in Europe, with only 14 percent doing so.
 


35 percent do not have a clear owner for the private keys used in the code signing processes at their organizations.
 


69 percent expect their usage of code signing to grow in the next year.
 


“Security teams and developers look at code signing security in radically different ways,” concluded Bocek. “Developers are primarily concerned about being slowed down because of security teams’ methods and requirements. This disconnect often creates a chaotic situation that allows attackers to steal code signing keys and certificates. The only way to protect themselves and their customers is for organizations to have a clear understanding about when code signing is allowed, where it is being used and insight into the integrations between code signing and development build systems.
 

“This comprehensive approach is the only way to substantially reduce risk while delivering the speed and innovation that developers and businesses need today.”

 

Learn more about machine identity protection. Explore now.

 

Related posts

Like this blog? We think you will love this.
image of a thief reaching out from a laptop screen to grab the arm of a businessman on the other side of the screen
Featured Blog

Holiday Shoppers Beware: Look-Alike Domains Are Targeting Your Wallet

But just how prominent are these look-alike domains?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Eva Hanscom
Eva Hanscom

Eva is Public Relations Manager at Venafi. She is passionate about educating the global marketplace about infosec and machine-identity issues, and in 2018 grew Venafi's global coverage by 45%.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat