Only a little over a quarter (28%) of global organizations have a clearly defined security process in place for code signing, potentially opening the door for hackers to steal and use these certificates in attacks, according to new Venafi research.
The security vendor polled 320 security professionals in the US, Canada and Europe to better understand the risks posed by code signing — the process used to secure software updates.
Although half said they were concerned that cyber-criminals are using forged or stolen code signing certificates to breach organizations, few enforce security policies at this layer. The figure for European respondents was even lower than the overall average, at just 14%.
What’s more, over a third (35%) admitted that they don’t have a clear owner for the private keys used in code signing.
The challenge is likely to become even more acute going forward, with 69% of firms saying they plan to increase usage of code signing in the coming year, according to Venafi.
The vendor’s vice-president of security strategy and threat intelligence, Kevin Bocek, argued that code signing certificates enabled both the notorious Stuxnet and ShadowHammer attacks to succeed.
“Security teams and developers look at code signing security in radically different ways. Developers are primarily concerned about being slowed down because of their security teams’ methods and requirements. This disconnect often creates a chaotic situation that allows attackers to steal keys and certificates,” he added.
“In order to protect themselves and their customers, organizations need a clear understanding of where code signing is being used, control over how and when code signing is allowed, and integrations between code signing and development build systems. This comprehensive approach is the only way to substantially reduce risk while delivering the speed and innovation that developers and businesses need today.”