Code signing plays an important role in all businesses to verify the integrity of software used or distributed by the organization. Code signing has been around for decades and it’s widely used to guarantee that code is authentic and has not been corrupted.
However, because code signing credentials generate such high levels of trustworthiness, they are a highly valuable target for cybercriminals, who steal code signing credentials from legitimate companies to sign their malicious code. When signed with a legitimate certificate, malware does not trigger any warnings, and unsuspecting users will trust that the application is safe to install and use.
Just look at the recent case where cybercriminals modified the ASUS Live Update Utility to deliver a backdoor to approximately one million people. How did cybercriminals gain access to such critical business resources? Organizations often leave their code signing credentials unprotected.
This makes it relatively easy for cybercriminals to steal these credentials and use them in their attacks.
But let’s be clear. This is not a problem with the code signing operation itself. That remains a highly valuable function within any software company (And let’s face it, with digital transformation, we have all become software companies). The problem lies with an unsecured process that is being used to sign code. Most organizations call it a day once the code is signed and simply aren’t doing enough to protect code signing keys and certificates they use to do so. Even worse, they don’t have workflows that limit the use of codes signing credentials to a limited list of authorized personnel. Wanna sign some code?
Right about now, you may be wondering if your organization is doing enough to protect code signing certificates. Answer these five questions about your code signing activities to figure out if your organization may have code signing problem:
If you answered yes to one or more of these questions, then you probably have a problem with your code signing process. If you answered yes to 4 or 5 of these questions, then you have a severe code signing process problem and you should act immediately.
Where should you start? As the person responsible for protecting critical business assets, such as code signing certificates and keys, you should start by understanding the following information about your code signing certificates:
Armed with this information, you will be ready to put strong processes in place. But you probably can’t take this on single handedly. To help mitigate weaknesses in your code signing process, you will need to implement solutions that give you visibility, intelligence and automation control over code signing for your entire enterprise.
How secure are your code signing certificates?