Skip to main content
banner image
venafi logo

Top 5 Indicators that Your Company Might Have a Code Signing Problem

Top 5 Indicators that Your Company Might Have a Code Signing Problem

Code signing, code signing, certificate
June 25, 2019 | Eddie Glenn

Code signing plays an important role in all businesses to verify the integrity of software used or distributed by the organization. Code signing has been around for decades and it’s widely used to guarantee that code is authentic and has not been corrupted.

However, because code signing credentials generate such high levels of trustworthiness, they are a highly valuable target for cybercriminals, who steal code signing credentials from legitimate companies to sign their malicious code. When signed with a legitimate certificate, malware does not trigger any warnings, and unsuspecting users will trust that the application is safe to install and use.

Just look at the recent case where cybercriminals modified the ASUS Live Update Utility to deliver a backdoor to approximately one million people. How did cybercriminals gain access to such critical business resources? Organizations often leave their code signing credentials unprotected.

This makes it relatively easy for cybercriminals to steal these credentials and use them in their attacks.



But let’s be clear. This is not a problem with the code signing operation itself. That remains a highly valuable function within any software company (And let’s face it, with digital transformation, we have all become software companies). The problem lies with an unsecured process that is being used to sign code. Most organizations call it a day once the code is signed and simply aren’t doing enough to protect code signing keys and certificates they use to do so. Even worse, they don’t have workflows that limit the use of codes signing credentials to a limited list of authorized personnel. Wanna sign some code?

Right about now, you may be wondering if your organization is doing enough to protect code signing certificates. Answer these five questions about your code signing activities to figure out if your organization may have code signing problem:

  1. Got strong policies? Does your company have a code signing policy that defines where private keys are stored, who has access to those private keys, and who needs to approve the use of those keys?
  2. How much control do you have? Does your company enforce its code signing policy across all software development teams—whether they are developing internal-only software or software that will be distributed to customers and other third parties?
  3. Can you locate code signing certificates? Does your company have a complete inventory of ALL code signing certificates that are being used across the entire enterprise—no matter where they are stored or  which certificate authority they came from?  If you found malware on the internet signed by your company’s code signing certificate, where you know where to start looking for the source of the breach?
  4. Is your process too slow? Does your company have a labor-intensive, slow manual process for handling code signing operations? If so, do you find your development teams trying to circumvent it (or do you suspect that some are)?
  5. Are you using code signing everywhere you should? Does your company limit the code that it signs because development teams can’t manage code signing certificates themselves or teams doesn’t have the bandwidth?

If you answered yes to one or more of these questions, then you probably have a problem with your code signing process. If you answered yes to 4 or 5 of these questions, then you have a severe code signing process problem and you should act immediately.

Where should you start? As the person responsible for protecting critical business assets, such as code signing certificates and keys, you should start by understanding the following information about your code signing certificates:

  • How many code signing certificates your company is using
  • Where all the private keys for code signing are stored
  • How secure your code signing private keys are
  • Who is authorized to use your code signing credentials
  • If software development teams are signing code that you’re not aware of

Armed with this information, you will be ready to put strong processes in place. But you probably can’t take this on single handedly. To help mitigate weaknesses in your code signing process, you will need to implement solutions that give you visibility, intelligence and automation control over code signing for your entire enterprise.

How secure are your code signing certificates?


Related posts


Like this blog? We think you will love this.
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Eddie Glenn
Eddie Glenn

Eddie is the Product Marketing Manager over Code Signing at Venafi. A product marketing professional in SaaS, Enterprise, and Embedded Software, he has a strong technical background and experience with inbound and outbound marketing, business and marketing strategy, and marketing operations.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more