Code Signing: Today's Challenge

Application software, like other digital assets, is vulnerable to tampering. Whether packaged in commercial products or in-house custom applications, software has been increasingly subject to advanced persistent threats (APTs). By exploiting modifications to that software, attackers use applications maliciously to steal sensitive data such as customer records or intellectual property. In an effort to protect their businesses, brands, partners, and users from software that has been infected by malware, software developers have adopted a practice known as code signing. An application of public key cryptography, code signing is a specific use of certificate based digital signatures that enables an organization to verify the identity of the software publisher and prove that the software has not been changed since it was published. But if code signing is to be an effective measure for identifying trustworthy software, the code signing process itself must be secure. To prevent attackers from using forged code signatures to hide infected code, organizations must take steps to protect the process for creating these digital signatures. For multiple reasons, the process of building trust into business applications is becoming more challenging over time: 

  • As virtualization brings flexibility, the dynamic deployment and de-provisioning of application instances increases the need for integrity validation.
  • With the proliferation of cloud-based services, software developers need to ensure the integrity of their software as it executes in cloud environments over which they have minimal control.
  • Growth of APTs is pressuring software producers to create a high assurance code signing process that in some cases might need to comply with regional standards and security certifications.
  • The smartphone and tablet revolutions, arrival of the ‘app store economy,’ and the deployment of intelligent connected devices are increasing the proportion of business logic that resides and executes on insecure devices in untrusted locations.

Risks

  • APTs can take control of your software to steal customer information or intellectual property.
  • Insecure code signing can create a false sense of security, providing a mechanism for attackers to hide their tracks.
  • Forged code signatures have far reach implications and can damage a firm’s reputation and business more than isolated attempts at software tampering
  • An overly cumbersome code signing process can tie up valuable technical resources and increase your costs.

Code Signing: Thales e-Security Solutions

Designed for software vendors of all sizes and for enterprises that develop their own code, the Thales Code Signing Solution is a comprehensive solution that enables you to implement high assurance, high-efficiency code signing processes to protect your software from tampering and bring appropriate governance to your software publishing practices. The Thales Code Signing Solution supports a range of authorization scenarios to suit your operational need—including automated request/approval workflows—and is backed by Thales e-Security’s extensive expertise in code signing best practices and emerging standards of due care. Hardware security modules provide tamper-resistant, certified protection for private code signing keys and a secure platform on which to execute critical digital signature processes.

Benefits:

  • Protect your company, partners, and users from the potential risks associated with software tampering.
  • Quickly implement a secure code signing process appropriate to your organization’s size and scope.
  • Maximize security with a tamper-resistant, hardware-based solution.
  • Simplify and streamline the code signing process using workflow automation capabilities.
  • Reduce risk by working with an expert in code signing best practices.
  • Deploy high assurance solutions that position your organization to meet requirements for regulatory compliance and emerging standards of due care.