Skip to main content
banner image
venafi logo

Is Your Organization Code Signing-Agile?

Is Your Organization Code Signing-Agile?

code-signing-agility-to-defend-against-threat-actors
July 20, 2021 | Pratik Savla
Are you ready for 3072-bit code signing keys?

On June 1, 2021 new code signing key size requirements have gone into effect as mandated by the CA/B forum.  This change requires that code signing keys have a minimum size of 3072-bit RSA or larger (up from an earlier requirement of 2048 bits).

Code signing certificates are a high-value target for cybercriminals. A successful compromise of them is considered highly prized amongst threat actors as it could lead to creation of signed malware that appears legitimate and one published by the organizations’ developers. This has led to increased attention and focus on them from not just one group of hackers but various active APT (Advanced Persistent Threat) groups.

SolarWinds: Anatomy of a Supply Chain Attack. Download the whitepaper.

Even though increasing the key size length (which is an important security metric) can serve to exponentially reduce the probability of a successful brute force attack, companies can’t just heave a sigh of relief by considering only that. The current change from the CA/B forum is focused entirely on key size but when it comes to code signing, security decision making cannot afford to only just look at that as an attack surface. Code signing remains vulnerable to many other forms of attacks.

A side channel attack is one that is generally not reported to be a direct threat to code signing and is one that may not be practical to implement in certain cases, but it should still be factored in as it seeks to obtain compromising information from secondary output channels. 

A threat model of code signing should bring out weaknesses such as theft of keys due to them being placed in unsecured locations, compromise of the signing infrastructure due to poor governance controls, etc. Even compromise of a Certificate Authority (CA) is a major threat that needs to be factored in.

In light of the many recent high-profile supply chain attacks, organizations that currently are involved with writing and deploying software, need to take the code signing threat extremely seriously. 

Code signing keys and certificates are important machine identities that must be secured and Venafi CodeSign Protect is designed to do just that.  Besides ensuring that private code signing keys never leave a secured location (preventing private key sprawl), Venafi can also ensure that these keys are not used except as when authorized (such as when proper approvals are obtained, certain time of day requirements are met, certain code signing tool is used, or certain machines are used). 

But an important aspect of securing an organization’s code signing process is when security policy must be updated, such as in this situation where key length needs to change to 3072-bit.  With Venafi CodeSign Protect, security teams have visibility into all code signing certs and keys that are in use across the enterprise and can easily modify security policy to reflect this change. Furthermore, certificates and keys can be automatically updated by Venafi to reflect these changes.

If anyone still needs convincing about the significance of attack vectors on code signing keys and certificates, they only need to look at the underground market where the cost of code signing certificates keeps continuing to increase, an indication of how profitable an endeavor it is for attackers.

 

Related Posts

Like this blog? We think you will love this.
difference-between-public-and-private-keys
Featured Blog

What Is the Difference Between a Public Key and a Private Key?

Symmetric and asymmetric encryption

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Pratik Savla
Pratik Savla

Pratik is a Principal Security Engineer at Venafi. Formerly the Threat Intelligence Lead at VMware, he is a member of ISACA, ISSA, CSA, The Internet Society and The Electronic Frontier Foundation.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more