Recently, the industry has seen increased instances involving malware signed by legitimate code signing certificates owned by legitimate companies. In each of these incidences, the private key, associated with the code signing certificate, was either compromised or otherwise maliciously used. Code signing private keys are owned and protected by the company or business, and not the Certificate Authority (CA).
Symantec advises companies to apply rigorous protection and security policies to safeguard private keys for code signing. As it is our responsibility as a CA to thoroughly authenticate each organization that applies for a code signing certificate, it is also the responsibility of the certificate owners to protect their private keys from compromises. When malicious code makes its way into the wild, it hurts everyone whether it’s a business, organization or user.
Symantec recommends the following best security practices and policies to protect code signing private keys.
Companies need to implement layers of protection for its private keys, and this involves elements like physical key storage, application security, network security, physical and user security policies.
- Physical Security
There is no security without physical security to protect critical assets. Implement technologies that make it hard for unauthorized people to enter and even harder to leave: dual access control, biometrics-based security, ubiquitous video monitoring and motion detectors, 24/7 security personnel and hardened facilities.
- Cryptographic Hardware Security Modules
Keys stored in software on general-purpose, shared computers are susceptible to compromise. Therefore it is more secure, and a best practice, to store keys in secure, tamper-proof, cryptographic hardware devices which are stored in highly-protected safes.
- Server, Digital and Network Security
Implement thorough and up-to-date network and endpoint security, including anti-malware and data loss prevention (DLP) on servers involved in signing code.
- Applications Security
Applications used to sign code should be well understood and access to the application should be well regulated and audited.