(1 votes, average: 5.00 out of 5)We all make mistakes — we’re human, after all. However, sometimes oversights can have nasty consequences. Verizon’s 2024 Data Breach Investigation Report (DBIR) confirms it: Human errors were among the root causes of 68% of data breaches.
In application development, even a small software signing error can significantly increase the chance of your organization or customers falling prey to attacks and malware infections.
In this article, we’ll explore the nine most common software signing blunders people make and a few down-to-earth solutions to prevent them. Our goal is to help prevent you from shipping a vulnerable final product that endangers your organization’s reputation, customers, and data.
John Lennon once said: “A mistake is only an error. It becomes a mistake when you fail to correct it.” So, let’s find out how to prevent nine frequent software signing snafus from becoming costly mistakes.
The 2024 Docker State of Application Development Report shows that 34% of developers put security-related tasks at the top of their difficult/very difficult-to-do list part of their software development process. However, skipping those tasks or relegating them to the end of the software development process is a dangerous game. Code tampering can happen at any time in your software development life cycle (SDLC). This is why it’s crucial to properly integrate code signing into the dev lifecycle early on to help mitigate vulnerabilities and protect the integrity of your software apps and code.
Self-signed certificates are often used during software development and testing. They’re quick and easy to generate, don’t cost a dime, and they don’t expire, as the generator sets the policies. However, these very characteristics also make them unsuitable (and unsafe) for production.
Forgetting to replace these internal certificates before releasing the software to the public can cost you more than you think. For instance, when a user attempts to install a self-signed software app, their operating system (OS) will display a security warning. Imagine how many potential customers you might lose because of it and the damage to your reputation.
Image caption: A trusted code signing certificate will transform the security warning on the left into the reassuring message on the right.
Did you know that publicly trusted code signing certificates expire between one to three years? And when it happens, the dreaded unknown publisher warning will come back with a vengeance every time a user downloads/installs the software signed with the expired certificate. The same goes for revoked certificates.
The one thing that can change this depressing scenario is adding a digital timestamp to your software after signing it. Without timestamping, every code signed with that particular certificate will be regarded as unsafe and will have to be re-signed with a valid certificate. This can cause many headaches for you, your customers, and other software users.
According to ReasonLabs, malware was the top security threat detected in Q1 2024, accounting for nearly 50% of all global detections. Software signing an infected code could have dramatic consequences on your organization’s reputation and finances.
Once downloaded, malware can infect your customers’ devices. One single infected machine can quickly snowball into a giant data breach, as demonstrated by the Snowflake incident impacting more than 165 major companies. (as of this article’s date of writing).
Prove Your Software Is Trustworthy
Signing your code shows users that your software and updates can be trusted.
Download our free code signing best practices eBook to learn how to help keep your supply chain secure and your company, customers & end-users safe.
62% of organizations interviewed by KeyFactor in 2022 didn’t even know how many certificates they had. Two years later, 84% confirmed that the increasing use of certificates and keys is still a challenge for their operation teams.
We get it. Decentralized teams, changes to security requirements, and evolving attacks aren’t making things easier. However, when you don’t know where your keys and certificates are, who is using them, and how and when they’re being used, then the risk of being stolen and exploited to sign malware is just around the corner.
In 2023, attackers stole and posted on the dark web an MSI computer manufacturer’s private keys for Intel Boot Guard, which were used on 116 MSI software products. This was a serious breach for many reasons, particularly when you consider that Intel Boot Guard’s purpose is to protect devices against malicious installation and download of malicious or vulnerable UEFI firmware.
The stolen keys enabled cybercriminals to sign malicious software and updates that, once downloaded, would have allowed malware to be installed on devices without being blocked by Boot Guard’s code integrity check.
In 2023, developers interviewed by Checkmarx left 57% of vulnerabilities they found in their code unresolved. Furthermore, nearly one-third of surveyed chief information security officers (CISOs) knowingly deployed vulnerable code with the hope that the issues would remain undiscovered. That’s downright scary.
In today’s digital world, where everything changes at lightning speed, you can’t bury your head under the sand and ignore security procedures to cut corners. You also can’t just hope and pray for the best. These approaches put your organization, code, and customers at risk while exponentially increasing your technical debt.
Let’s keep on talking about critical changes. In June 2023, the industry standard’s body issued new software signing guidelines requiring all private keys to be issued on secure hardware (e.g., a token or HSM) compliant with FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.
In summer 2024, the National Institute of Standards and Technology (NIST) will publish the new post-quantum cryptography (PQC) Federal Information Processing (FIPS) standards (FIPS 203, 204, and 205).
Are the developers and users in your organization unaware of such changes? If so, they might generate insecure keys, store them incorrectly, or use vulnerable algorithms to generate them. Any one of these scenarios represents an open door to trouble.
Want to know more? Discover in this video how a comprehensive digital certificate management solution can protect the integrity of your code along your whole software supply chain.
In February 2024, the remote desktop software provider AnyDesk announced that attackers stole some of their code signing keys and certificates. One day later, more than 18,000 credentials were advertised for sale on the dark web.
The outage lasted several days and impacted millions of users. The company had to revoke all code signing certificates and keys and request its 170,000 customers to change their passwords and install the latest, newly signed version of AnyDesk.
So, how can you prevent something like this from happening to your organization?
Here’s a basic overview of what the key rotation process looks like:
Software signing is a powerful tool that’ll help you secure your whole software supply chain and organization against threats (so long as it’s implemented correctly). It:
If poorly implemented or managed, it can become one of the worst chinks in your organization’s armor. Understanding the most common software signing errors is the first step toward a robust and secure software signing ecosystem.
Make your security armor shine again. Start repairing those dangerous chinks now. It’ll protect your products, customers, and business in the never-ending battle against bad guys.
Email Us
+1 (727) 291-0611
Chat Now
