An interesting paper released by Thawte which explain reasons why to implement software code signing and how to do it into the enterprise enviroment, in order to decrease the risk of breaches caused by a not authorized software.
The full paper is downloadable Hier.
Executive summary
The efficacy of code signing as an authentication mechanism
for software depends on the secure storage of code
signing private keys used by software publishers. But a
series of recent malware attacks using malicious programs
signed with legitimate certificates shows that some developers
don’t take sufficient precaution.Code signing is a technology which uses digital certificates
and the public key infrastructure to sign program files so
that users can authoritatively identify the publisher of the
file and verify that the file hasn’t been tampered with or
accidentally modified. As with other PKI technologies, der
integrity of the system relies on publishers securing their
private keys against outside access.
Nobody who’s talking knows what actually happened at the
two companies whose private keys were compromised, but
it appears that attackers obtained access to their private
keys through some form of break-in, probably an electronic
one. The damage to these two companies has been considerable
and goes beyond the mud through which their
names were dragged. Without minimizing the culpability of
the actual criminals who broke in to their networks, it’s fair
to conclude that these two companies did not take sufficient
precautions to protect their private keys.
Companies which are diligent and willing to invest in the
appropriate security measures can make the compromise
of their private keys highly unlikely. Changes in developer
processes may be necessary, but these should not impose
serious inconvenience.This paper describes recent security breaches and why
they may have happened. It discusses best practices,
especially for the Windows platform, which can help to
safeguard the private keys associated with code signing
certificates.Critical factors are:
• Security of the developers’ networks and the developers’
systems themselves.
• Minimal access to the private keys associated with
genuine code signing certificates and the code signing
process.
• The use of hardened cryptographic hardware products
to protect the private keys.
The post Best Practice für Code Signing mit Zertifikaten appeared first on .