Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsLogical SecuritySecurity & Business Resilience

Code signing is a valuable tool — if it’s secure

By Tomas Gustavsson
code developer at computer

Image from Unsplash

July 11, 2022

Today, just about everything relies on code. Software permeates virtually every aspect of our lives; from the products and machines we use each day to the critical infrastructure that supports society as a whole. It’s difficult to imagine a business, government agency, other entity or device that doesn’t depend on software in some way.

There was a time when end users could trust the software they downloaded. Unfortunately, that is no longer the case. As hackers and other cybercriminals become increasingly adept at the art of spreading malware, even information technology (IT) professionals find it difficult to know whether the software product they’ve purchased is legitimate. Not to mention automatic software updates by laptops, mobile and Internet of Things (IoT) devices.

Thanks to the adoption of continuous integration and continuous delivery (CI/CD) and build and test automation tools, application and operations teams are moving faster than ever, which means there are fewer human eyes with a direct line of sight into what’s happening throughout the pipeline. Bad actors have recognized this and look for weaknesses in these fast-moving and complex environments, injecting or modifying malicious code at virtually any point in the software supply chain. This can be anything that goes into or affects code from development, through an organization’s CI/CD pipeline, until it gets deployed into production (i.e. into software dependencies, into an organization’s source code repository or compromising build servers).

This is where code signing comes in.

Authenticity, integrity and trust: Why code signing matters in security

Code signing is a cryptographic method used by developers to prove that a piece of software is authentic. It protects against altered code and creates a chain of trust. Much like how an SSL certificate serves as a form of authentication to identify a website, a code signing certificate is a special class of digital certificate used by developers to sign applications and software.

A code signing certificate allows any recipient of the software to verify its legitimacy by confirming information such as the name of the company that developed the software — operating much like a driver’s license for the digital world.

Once the software is signed with a code signing certificate, it means that any version of the software that has that valid signature has not been altered by a third party. Confirming that a body of work has not been altered in transit is so important because any alterations to the software code could indicate the presence of malicious activity. The signed code means that what end users see and experience is exactly what the software creator intended.

Preventing code compromise

The trust and integrity of code signing hinge entirely on the security of an organization’s signing keys. In today’s threat environment, the private keys linked to code signing certificates are one of the biggest steals a hacker can make, as getting their hands on this part of the code signing certificate means they can create new software that appears to be legitimate and from a reputable source.

A single breach in this chain of trust can lead to severe damage for a business. The process of quickly revoking and reissuing certificates, notifying affected users and pushing out a newly signed update is expensive. Not to mention, reestablishing trust with users, business partners and investors can be a long and arduous process.

Beyond key theft, other common vulnerabilities include signing breaches and internal misuse. Hackers can get malicious code signed even without stealing the appropriate private keys if they can get into a developer workstation that has open access to the code signing keys. Once that happens, they can simply submit their software for signature and release. Additionally, if a developer has open access to the corresponding code signing key and accidentally misuses or misplaces it, they can create an opening for hackers to infiltrate operations.

Once security teams recognize and understand these vulnerabilities, there are a number of actions they can take to protect against them, creating more trust in the software supply chain.

1. Balance developer access 

The most common challenge organizations experience is implementing code signing in a way that effectively meets the needs of both developers and IT security teams. Providing too much access for developers can make the process vulnerable to attack. However, too little access creates friction in the development process, and teams are likely to circumvent security policies. Getting the balance right requires comprehensive protection for private code signing keys, so that they remain in a secure location and can only be accessed by restricted users.

2. Increasing visibility and control for security teams

Oftentimes, security teams lack visibility into and control over signing processes. Deploying technology that can centralize visibility and control to make it easy for security teams to audit everything can go a long way toward addressing this challenge. Having the right technology in place can help security teams track and monitor code signing activities, create an audit log for code signing certificates and signing attempts, and centralize and standardize policies for who can sign code.

3. Integrate code signing activities into development processes

The best way to ensure developers don’t circumvent security policies or accidentally open them up to risk is to integrate code signing activities into their existing DevOps processes. This should include integrating any signing tools with DevOps tools, enabling remote signing capabilities for distributed teams, and introducing checks and verifications that must happen before any code signing takes place.

4. Continually evaluate code signing activities

Code signing is an ongoing process. Certificates at some point will expire, keys and algorithms might weaken over time, and threats evolve. Keeping close tabs on all code signing activities, auditing all key usage, and covering code signing certificates in any broader PKI certificate management activities will not only help security teams spot threats earlier on, but also ensure that all of the controls that are put in place to protect a code signing certificate are properly maintained over time.

In our software-driven world, trust is everything. Ensuring that an organization’s security and development teams are working together to protect the digital certificates and keys used for code signing is key to ensuring their software remains secure and trusted – making code signing a critical part of a secure software supply chain.

KEYWORDS: code cyber security initiatives DevOps hacker software supply chain cyber security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Tomas gustavsson

Tomas Gustavsson is Chief PKI Officer at Keyfactor. He has a MSc from KTH in Stockholm and has been researching and implementing PKI systems since 1994. He is the founder and developer of the open source enterprise PKI project EJBCA, a certification authority software now widely deployed in production globally, as well as a contributor to numerous open source projects and a member of the board of Open Source Sweden. As a Co-Founder of PrimeKey, which merged with Keyfactor in 2021, Gustavsson is passionate about helping users worldwide find the best possible PKI and digital signature solutions.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber-frame

    If Michael Jordan is zero trust, then identity governance is Scottie Pippen — Why cybersecurity is a team sport

    See More
  • The Long and Winding Road to Cyber Recovery

    Shadow IT was a security crisis. Now Shadow IT 2.0 is looming. Let’s skip the crisis this time.

    See More
  • Pink and blue lines on dark screen

    Overcoming the IT skills gap and maintaining a secure business

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing