Skip to main content
banner image
venafi logo

Understanding How Code Signing Impacts Your Organization

Understanding How Code Signing Impacts Your Organization

how-code-signing-impacts-your-organization
June 2, 2022 | Alexa Hernandez

Alarmingly, hackers are quite adept at stealing code signing machine identities, inserting their malware into legitimate software, signing it with the stolen keys, and then distributing it. To the rest of the world, the malware-infected software update looks legit because it has a valid signature.

When properly protected, code signing is an effective tool to stop the spread of malware, and nearly every organization relies on code signing to confirm their code is authentic and hasn’t been corrupted with malware. Code signing your software has significant implications for several areas of your organization.

Why do cybercriminals target code signing keys? Download the eBook to learn more.
Liability

If legitimate software provided by your organization is tampered with—such as malware being added—and then signed with your organization’s legitimate code signing keys, your organization may experience a liability situation from your customers who are the ones who will suffer from that malware attack. The same is true if your private code signing keys are stolen and used to sign standalone malware. In addition, if a critical IT function was compromised by modifying a script, sensitive corporate, customer, or personal data could be jeopardized. This creates significant liability for your organization with not only your customers but also with regulatory agencies.

Damage to Brand, Revenue and Stock Value

Code signing attacks can also damage your brand reputation which impacts your revenue, market share, and stock price because customers will associate your brand with risky or unsafe software that has harmed them. This has been demonstrated in multiple types of attacks over the past few years.

Changes to Critical Software Infrastructure

Your critical software infrastructure includes enterprise-wide applications such as accounting systems, customer relationship systems, invoicing systems, network or database maintenance scripts and any other software that’s critical to the efficient functioning of your business. Compromise, misuse or disruption of this software can jeopardize your business, not to mention financial damage, loss of trust and widespread societal consequences. Similarly, intrusions into development systems or the code signing infrastructure itself could result in malicious code being signed.

Think of the amount of software and scripts that are used to maintain your business infrastructure. These applications often have access to sensitive company secrets, sensitive customer information or personal and confidential information of your users. A modification to an IT script such as one responsible for backups could put all this sensitive data at risk.

Code signing your critical software infrastructure prevents cybercriminals from accessing and modifying your unprotected internal software, including critical IT shell scripts.

But code signing software infrastructure alone may no longer be enough to prevent cybercriminals from their work as they now target the theft or misuse of private code signing keys and strike earlier in the software development process. They use these unprotected private keys to either sign malware or tamper with your software. Tens of millions of code signing keys have been reported stolen or forged from legitimate businesses. This should be a concern to all businesses.

Unauthorized changes to Software Artifacts Used for Software Development

An intermediate artifact is an item (document, file, script, library, and so on) that’s used during the development of software. Signing these artifacts throughout the development cycle ensures they aren’t modified except by the authorized author. If changes to a file or script are required, developers can do that within the development environment, code sign it, and then store the signed artifact in their repository for later use. Code signing these intermediate artifacts helps to guard against infiltrators inserting undesired elements during the build process.

Modern software development methodologies utilize many different components, such as the ones shown below. If any of these components are compromised with malware, it could result in a serious breach. Because of this, it’s imperative that your software development teams code sign all the intermediate artifacts they use to build software.

Unsafe IT Automation Scripts and Business Macros

Digitally signing your IT automation scripts and macros binds your identity to the code. Users of your automation scripts or macros then can trust that the script or macro really did come from you and hasn’t been modified by a third party. This can alleviate an end-user’s concern about running unsafe code. Any changes to the script or macro made after the signature has been applied, such as insertion of a virus, will invalidate the signature, protecting your name and reputation.

Conclusion

Code signing is a critical security control that provides software with a machine identity used to verify its legitimacy. For code signing, these machine identities manifest as digital certificates and private keys, both of which must be secured. Organizations protect software with the help of code signing—ensuring that software receives a digital signature that guarantees the identity of the author and the integrity of the code. When your company’s code is signed with a private key and an accompanying certificate, it’s supposed to confirm your company is the author and the code is trustworthy, assuring the software’s integrity. Your customers expect products signed with your code signing certificates to be secure, and that’s how they rely on your brand to deliver safe products.

If your organization is need of fast and efficient code signing, check out Venafi CodeSign Secure to secure your code signing private keys, automate your workflows and maintain a record of all code signing activities.

Related Posts

Like this blog? We think you will love this.
code-signing-abuse
Featured Blog

Study Shows Widespread Abuse of Code Signing Certificates

A study by Vi

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Alexa Hernandez
Alexa Hernandez

Alexa is the Web Marketing Specialist at Venafi.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more