Code signing plays an important role in all businesses to verify the integrity of software used or distributed by the organization. Code signing has been around for decades and it’s widely used to guarantee that code is authentic and has not been corrupted.
However, because code signing credentials generate such high levels of trustworthiness, they are a highly valuable target for cybercriminals, who steal code signing credentials from legitimate companies to sign their malicious code. When signed with a legitimate certificate, malware does not trigger any warnings, and unsuspecting users will trust that the application is safe to install and use.
Just look at the recent case where cybercriminals modified the ASUS Live Update Utility to deliver a backdoor to approximately one million people. How did cybercriminals gain access to such critical business resources? Organizations often leave their code signing credentials unprotected.
This makes it relatively easy for cybercriminals to steal these credentials and use them in their attacks.
But let’s be clear. This is not a problem with the code signing operation itself. That remains a highly valuable function within any software company (And let’s face it, with digital transformation, we have all become software companies). The problem lies with an unsecuredprocess that is being used to sign code. Most organizations call it a day once the code is signed and simply aren’t doing enough to protect code signing keys and certificates they use to do so. Even worse, they don’t have workflows that limit the use of codes signing credentials to a limited list of authorized personnel. Wanna sign some code?
Right about now, you may be wondering if your organization is doing enough to protect code signing certificates. Answer these five questions about your code signing activities to figure out if your organization may have code signing problem:
- Got strong policies? Does your company have a code signing policy that defines where private keys are stored, who has access to those private keys, and who needs to approve the use of those keys?
- How much control do you have? Does your company enforce its code signing policy across all software development teams—whether they are developing internal-only software or software that will be distributed to customers and other third parties?
- Can you locate code signing certificates? Does your company have a complete inventory of ALL code signing certificates that are being used across the entire enterprise—no matter where they are stored or which certificate authority they came from? If you found malware on the internet signed by your company’s code signing certificate, where you know where to start looking for the source of the breach?
- Is your process too slow? Does your company have a labor-intensive, slow manual process for handling code signing operations? If so, do you find your development teams trying to circumvent it (or do you suspect that some are)?
- Are you using code signing everywhere you should? Does your company limit the code that it signs because development teams can’t manage code signing certificates themselves or teams doesn’t have the bandwidth?
If you answered yes to one or more of these questions, then you probably have a problem with your code signing process. If you answered yes to 4 or 5 of these questions, then you have a severe code signing process problem and you should act immediately.
Where should you start? As the person responsible for protecting critical business assets, such as code signing certificates and keys, you should start by understanding the following information about your code signing certificates:
- How many code signing certificates your company is using
- Where all the private keys for code signing are stored
- How secure your code signing private keys are
- Who is authorized to use your code signing credentials
- If software development teams are signing code that you’re not aware of
Armed with this information, you will be ready to put strong processes in place. But you probably can’t take this on single handedly. To help mitigate weaknesses in your code signing process, you will need to implement solutions that give you visibility, intelligence and automation control over code signing for your entire enterprise.
How secure are your code signing certificates?