Posted on

A New Era of Software Processes Is on the Horizon

The report late last year from FireEye of a state-sponsored attack targeting SolarWinds’ Orion software sent a shockwave through the industry and the reverberations from the discovery are continuing to ripple. As many as 18,000 SolarWinds customers — including at least nine U.S. government agencies — were infected via the SunBurst breach of the network monitoring and management solution. Moreover, according to a recent study from IronNet, the average financial impact of that attack was 11% of annual revenue or about $12 million per company.

U.S. intelligence has put the blame for the attack on Russian-sponsored hackers, who compromised multiple Orion software updates that were released between March and June 2020, giving bad actors a backdoor into exploited systems. Our research found that the Orion software build and code-signing infrastructure was compromised, with the source code of the affected library directly modified to include malicious backdoor code that was compiled, signed, and delivered via the existing patch release management system.

Posted on

How to Check Code Signing Installation: A Quick Guide

Quick Guide to Check Code Signing Installation in Google Chrome

Why have code signing certificates?

Code signing certificates are digital signatures that are of utmost importance to technology-driven businesses of the 21st century. You might argue, Why do I need it? I hold a good reputation in my space.

Posted on

Why Time Stamps for Code Signing Certificates Matters

Why timestamping matters

If you haven't timestamped the signature while using code signing certificate for your software the signature will remain valid till the certificate is not expired. In other words, the signature remains valid, if the data has not tampered, none of the certificate is revoked in the chain, the root certificate is trusted, and the signing certificate is within the validity period. And, once the certificate expires, revoked or becomes invalid, the signature will be considered as invalid and trust warning will be displayed.

To eliminate such issues, timestamping is used. Timestamping in Code Signing Certificates helps in showing when the software file was signed. It's quite similar to signing your document in the presence of a notary. Here, Timestamping works as a notary witness to the identification of the signatory as well as the signing time.

Posted on

The Problem With Code Signing Private Key Sprawl

Code Signing Private Keys Are Everywhere

People hide keys under their welcome mats, under the potted plant next to the front door, above the door jam, or maybe under that fake-looking rock next to the front walk. But why would they hide their front door key in such obvious places? If I were a burglar, these are the first places that I would check (well, I would first check to see if the front door was even locked).

But some people are smarter than this. Instead of putting the spare key in an obvious hiding place, they make a few copies and hand them out to the dog sitter, the next-door neighbor, their boyfriend/girlfriend, or the handyman fixing the washing machine. Before they know it, they’ve lost track of who they have given keys to and their house is vulnerable once again.

Posted on

Code Signing Credentials Are Machine Identities and Need to Be Protected

The world is experiencing a digital transformation that is eclipsing all previous technological advancements. As more IT workloads move to the cloud, and as more IT services are containerized, they all need to be authenticated using cryptographic keys and digital certificates, or machine identities. Given the pace and scale of this new world of machines, protecting those machine identities is becoming increasingly critical to security. Although these changes affect every business, many organizations use outdated methods to protect the exponentially rising number of machine identities they now require. Those approaches simply can’t keep up.

How does this impact the security of code? There are many types of machine identities — TLS, SSH, mobile and more — that are used on many types of machines. When you look at it in this light, code is the ultimate "machine" that requires an authorized identity so that we can trust it. That is precisely why machine identities are so critical to the code signing process.