the leading provider of machine identity protection, today announced the
results of a study of over 320 security professionals in the U.S.,
Canada and Europe on code signing security practices. According to the
study, only 28 percent of organizations consistently enforce a defined
security process for code signing certificates.
“When the code signing keys and certificates that serve as machine
identities fall into the hands of attackers, they can inflict enormous
damage,” said Kevin Bocek, vice president of security strategy and
threat intelligence at Venafi. “Secure code signing processes enable
apps, updates, and open source software to run safely, but if they’re
not protected attackers can turn them into powerful cyber weapons. Code
signing certificates were the key reason Stuxnet and ShadowHammer were
so successful. The reality is that every organization is now in the
software development business, from banks to retailers to manufacturers.
If you’re building code, deploying containers, or running in the cloud,
you need to get serious about the security of your code signing
processes to protect your business.”
The Venafi study found that although security professionals understand
the risks of code signing, they are not taking proper steps to protect
their organization from attacks. Key findings include:
Fifty percent are concerned cyber criminals are using forged or stolen
code signing certificates to breach the security of their
Globally, only 29 percent consistently enforce code signing security
policies, and this problem is much more acute in Europe, with only 14
percent doing so.
Thirty-five percent do not have a clear owner for the private keys
used in the code signing processes at their organizations.
Sixty-nine percent expect their usage of code signing to grow in the
Code signing processes are used to secure and assure the authenticity of
software updates for a wide range of software products, including
firmware, operating systems, mobile applications and application
container images. However, over
25 million malicious binaries are enabled with code
signing certificates, and cyber criminals are misusing these
certificates in their attacks. For example, security
researchers recently discovered bad actors hiding malware in
anti-virus tools by signing uploads with valid code signing certificates.
Bocek added: “Security teams and developers look at code signing
security in radically different ways. Developers are primarily concerned
about being slowed down because of their security teams’ methods and
requirements. This disconnect often creates a chaotic situation that
allows attackers to steal keys and certificates. In order to protect
themselves and their customers, organizations need a clear understanding
of where code signing is being used, control over how and when code
signing is allowed, and integrations between code signing and
development build systems. This comprehensive approach is the only way
to substantially reduce risk while delivering the speed and innovation
that developers and businesses need today.”
Venafi is the cybersecurity market leader in machine identity
protection, securing machine-to-machine connections and communications.
Venafi protects machine identity types by orchestrating cryptographic
keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi
provides global visibility of machine identities and the risks
associated with them for the extended enterprise – on premises, mobile,
virtual, cloud and IoT – at machine speed and scale. Venafi puts this
intelligence into action with automated remediation that reduces the
security and availability risks connected with weak or compromised
machine identities while safeguarding the flow of information to trusted
machines and preventing communication with machines that are not trusted.
With over 30 patents, Venafi delivers innovative solutions for the
world’s most demanding, security-conscious Global 5000 organizations and
government agencies, including the top five U.S. health insurers; the
top five U.S. airlines; the top four credit card issuers; three out of
the top four accounting and consulting firms; four of the top five U.S.,
U.K., Australian and South African banks; and four of the top five U.S.
retailers. Venafi is backed by top-tier investors, including TCV,
Foundation Capital, Intel Capital, QuestMark Partners, Mercato Partners
For more information, visit: www.venafi.com.