With an estimated 25 Million pieces of malware enabled by code signing, it’s about time we as an industry started taking the problem seriously. The Certificate Authority Security Council has finally stepped up to the plate with its first-ever standard for code signing. The new Minimum Requirements for Code Signing for use by all Certificate Authorities (CAs) aims to improve internet security by making it easier to verify software authenticity.
Why do we need a standard? In a recent write-up in Infoworld, Venafi VP of security strategy Kevin Bocek notes that “Stolen code-signing digital certificates are sold everyday on underground markets for more than $1,000 each.” By using these stolen legitimate code-signing certificates to sign malware, attackers can sneak malicious code past traditional security defenses. Bocek puts the problem into perspective, noting that “Code signing is critical to every mobile device and computer we touch."
Bocek notes that this is important because CAs have different rules for how they issue and revoke code signing certificates, both developers and cybercriminals could game the system. Infoworld goes on to explain why, “Without any standards in place, it was possible to get accepted one CA even after already being rejected by a different CA. The variance made it difficult to know which code-signing certificate could be trusted. With the guidance, each CA has some leeway in developing its own process for how to issue and revoke certificates, but the underlying requirements are the same from CA to CA.”
But with the new standard, the burden of security for code signing will not rest entirely with the CAs. IT admins will also play an important part in the process. To comply with the standard, IT admins will be required to prove that they are taking steps to secure private keys. If requesters do not meet minimum requirements, they will not be issued a code-signing certificate, or they may have an existing certificate revoked.
Code-signed malware is a serious problem. Without constant vigilance, it can only get worse. "The CA Security Council guidance on code signing is long overdue," Bocek said. "New methods of certificates to detect fraud and misuse such as Certificate Reputation will also see increased adoption as misuse of code signing certificates gets more and more attention."
Read more about how the standard may impact your certificate management and security in the full Infoworld article.