Though professional safety personnel generally understand that code-signing attacks pose a threat to the enterprise, they currently have not taken appropriate measures to protect enterprise from attacks. If the code signing keys and certificates that acts as the identity of machine fall into the hands of the attacker, they would undoubtedly cause great damage.
According to a survey by Venafi based on more than 320 security experts in the US, Canada and Europe, only about a quarter (28%) of enterprises implement consistent security verification based on code-signed certificates.
Half of the IT security professionals surveyed are concerned that cybercriminals use stolen or fake code-signing certificates to access their company’s network, and less than one-third (29%) of the world’s worldwide users always enforce code signature security policies. In Europe, this number is even more bleak – only 14%. One-third said that the private key used during code signing period did not have an explicit owner.
Although the security situation is not optimistic, enterprises still hope that the use of code signing will increase in the next year. In fact, every enterprise is now engaged in software development business, from banks to retailers and to manufacturers. If you are building code, deploying containers, or running code in the cloud, you need to take the security of the code signing process seriously to protect your business. In addition, code signing is used to confirm the authenticity of software updates.
A secure code signing process enables applications, updates and open source software to run safely. However, an attacker can turn them into powerful cyber weapons if they are not protected. The key reason for the success of the previous stuxnet and shadowhammer attacks was the abuse of code signing certificates.
The vice president of security strategy and threat intelligence at Venafi, Kevin Bocek said, “Secure code signing processes enable apps, updates, and open source software to run safely, but if they’re not protected attackers can turn them into powerful cyber weapons. Code signing certificates were the key reason Stuxnet and ShadowHammer were so successful. The reality is that every organization is now in the software development business, from banks to retailers to manufacturers. If you’re building code, deploying containers, or running in the cloud, you need to get serious about the security of your code signing processes to protect your business.”
Published by Emerson L. Sullivan & last updated on June 13, 2019 2:32 am