The Top 11 Code Signing Best Practices to Protect Your Customers and Keep Your Software Tamper-Free

Want to protect your home from thieves? A security system is a popular option. However, it’s not very effective if you don’t install it properly, fail to activate it when you aren’t home, or use “123456” as the security Code. The same applies to Code Signing certificates. They’re the best way to protect the integrity of your software and prevent tampering by hostile third parties, but only if code signing best practices are followed. Otherwise, you might as well not even bother.

 If you still need convincing, just look at the recent SolarWinds breach. Sloppy code signing practices left the door wide open for hackers, and they were able to inject malicious code into legitimate software updates without anyone noticing. As Mike Nelson, DigiCert’s VP of IoT Security, explains:

Code signing works. Poorly implemented code signing puts your business at greater risk. In the case of SolarWinds, they were using a code signing certificate to sign the files. The problem wasn’t the code signing certificate, the problem was the way they were practicing code signing.

Those SolarWinds updates got pushed to nearly 18,000 customers, including Microsoft, Nvidia, Intel, and Cisco, who were suddenly left exposed via a backdoor hidden within the SolarWinds software. It’s nothing new – a similar situation occurred with Asus in 2019 – and attackers will continue to attempt code tampering as long as companies are lax with their processes.

So, what is code signing exactly? Why is it such an important part of the software development cycle? And, most importantly, what are the code signing best practices that your organization should always follow?

Let’s hash it out.

The post The Ultimate Guide to Code Signing Best Practices appeared first on Hashed Out by The SSL Store™.