There is an abundance of use cases in which code signing using certificates has become more critical to prove to end users that they can trust the source and the integrity of the installed code. From software distribution and updates, to mobile apps and container security (like Docker), to execution of scripts and even file distribution—they all need to have their code signed to establish trust. But with stolen or forged code-signing certificates, cybercriminals can hijack the trust granted to signed code and threaten unsuspecting businesses and consumers who will expect this code to be safe.
Not all systems are created equal. There are open systems like Mac OS and Windows, for example, that allow end users to trust unknown publishers, and closed systems that do not. One would think that the closed systems are therefore safe, but hackers break them anyway and are able to install malware. When code-signing certificates are misused to give malware code trusted status, security controls blindly trust this dangerous code, endangering consumers and businesses.
How can enterprises effectively use code-signing to establish trust and avoid attacks that misuse code-signing? At RSA, we reviewed attacks against several open (Windows, Android, Mac OS) and closed systems (IOS, automotive operating systems). We also showed the state of the industry and how organizations are going about protecting code-signing certificates from misuse.
We also gave advice how to protect your business with some proposed steps to mitigate code signing abuse and a proposal to the industry of how to detect and respond to code signing misuse quickly and easily.
How do you use code signing in your organization? What use cases would you like to learn more about?