Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Challenges and Best Practices with Securing Code and Apps at RSA Conference 2014

In the referenced video, we discuss the advantages to using a code signing service, vs traditional code signing certificates to sign application code. The video features speakers from Symantec, Oracle and the Apache foundation.
Created: 14 Apr 2014 • Updated: 15 Apr 2014 • 1 comment
DeanJC's picture
+1 1 Vote
Login to vote

2013 saw an increase in malware signed with valid code signing certificates. How did this happen? Are verified entities actually signing and distributing malware? That does not appear to be the case. Rather, the code signing private keys are being harvested from users' hard drives, extracted and sent to malicious parties. Microsoft identified a Trojan that specifically does just this. It's called Fareit and details about some of the malware signed using this exploit can be found here:

Symantec has come up with a solution to this using a cloud based code signing model. This approach keeps the private keys off developer's hard drives and in a secure environment protected by Symantec. This is called "SSAS" or Symantec Secure App Service.

At this year's RSA Conference, Symantec hosted a session moderated by Craig Spiezle of the Online Trust Alliance with panelists from Symantec, Oracle and the Apache Foundation. Please see the video here:

The cloud based model allows developers to authenticate themselves to the portal using 2 factor authentication, upload their binaries and have it returned signed by a publicly trusted Certificate Authority. This keeps the private keys secure and out of the reach of attackers while maintaining security for the developer's code. It also maintains logs of who signed what application and when they signed it. This could be important to large organizations that have a decentralized development environment. The current system allows for keys in the name of the organization to be kept by individual developers. While convenient, this can lead to problems if a developer decides to leave the company and take his private key or if a company undergoes an audit which requires an inventory of code signing certificates. More info on SSAS is available here:

Code signing isn't going away. More ecosystems are requiring it and it makes sense to insure your private keys are out of reach from malware authors lest your good name and reputation become tarnished if one of your keys is stolen and used to sign malicious code.

Comments 1 CommentJump to latest comment

Andy Horbury's picture

Great post to go with this we've produced this infographic on Secure App Service

Login to vote