Skip to main content
banner image
venafi logo

Venafi at RSA 2016: Breaking Closed Systems with Code Signing

Venafi at RSA 2016: Breaking Closed Systems with Code Signing

February 22, 2016 | Gavin Hill

There is an abundance of use cases in which code signing using certificates has become more critical to prove to end users that they can trust the source and the integrity of the installed code. From software distribution and updates, to mobile apps and container security (like Docker), to execution of scripts and even file distribution—they all need to have their code signed to establish trust. But with stolen or forged code-signing certificates, cybercriminals can hijack the trust granted to signed code and threaten unsuspecting businesses and consumers who will expect this code to be safe.

Not all systems are created equal. There are open systems like Mac OS and Windows, for example, that allow end users to trust unknown publishers, and closed systems that do not. One would think that the closed systems are therefore safe, but hackers break them anyway and are able to install malware. When code-signing certificates are misused to give malware code trusted status, security controls blindly trust this dangerous code, endangering consumers and businesses.

How can enterprises effectively use code-signing to establish trust and avoid attacks that misuse code-signing? At RSA, we reviewed attacks against several open (Windows, Android, Mac OS) and closed systems (IOS, automotive operating systems). We also showed the state of the industry and how organizations are going about protecting code-signing certificates from misuse.

Code signing to establish trust in the code's source and integrity

We also gave advice how to protect your business with some proposed steps to mitigate code signing abuse and a proposal to the industry of how to detect and respond to code signing misuse quickly and easily.

How do you use code signing in your organization? What use cases would you like to learn more about?

Like this blog? We think you will love this.
Featured Blog

What Is the Difference Between a Public Key and a Private Key?

Symmetric and asymmetric encryption

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more