Although security professionals understand the security risks code signing poses to their organisations, many are not taking proper steps to protect them from attacks.
This is according to a new study by machine identity protection firm Venafi, based on a poll of more than 320 security pros in the US, Canada and Europe.
It was stated that roughly a quarter (28 per cent) of organisations enforce a defined security process for code signing certificates on a consistent basis.
Half of IT security professionals polled worry cybercriminals will use either stolen or forged code signing certificates to gain access to their company’s network, and on a global scale – less than a third (29 per cent) consistently enforce code signing security policies. Code signing is used to confirm the authenticity of software updates.
In Europe, the numbers are even bleaker – 14 per cent. A third has no clear owner for the private keys that are used during code signing. Despite poor posture and the ever-present risk of cybersecurity incidents, businesses still expect code signing to grow next year.
“When the code signing keys and certificates that serve as machine identities fall into the hands of attackers, they can inflict enormous damage,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Secure code signing processes enable apps, updates, and open source software to run safely, but if they’re not protected attackers can turn them into powerful cyber weapons. Code signing certificates were the key reason Stuxnet and ShadowHammer were so successful. The reality is that every organization is now in the software development business, from banks to retailers to manufacturers. If you’re building code, deploying containers, or running in the cloud, you need to get serious about the security of your code signing processes to protect your business.”
Image source: Shutterstock/SkillUp