Code Signing Seen as Effective Way to Safeguard App Security
NEWS ANALYSIS: Certificate Authorities (CAs) are ramping up efforts to make code signing the norm for application security.There are a number of different ways to ensure application security in the modern IT environment. One of them is by starting right at the source, by enabling application developers to digitally sign their code, in an effort to guarantee the integrity and authenticity of a given application. The Certificate Authority Security Council (CASC) is now engaged in an education campaign to expand awareness of code signing. The CASC is an industry group that was launched in February 2013 and that includes the world's leading Certificate Authorities (CAs). A CA is an organization that issues and manages security certificates that are used for Secure Socket Layer (SSL) encryption as well as application code signing. The CASC also works hand in hand with the CA Browser (CAB) forum, which is a group that includes both CAs and web browser vendors. The basic idea behind code signing is that an application can be signed by a software developer with a valid certificate from a CA. The role of the CA is to verify that the certificate has been granted to an authentic application. If the application is later compromised and is deemed to be malicious, the CA should be able to revoke the certificate. The malicious application should no longer work once the CA has revoked the certificate if the system works as it is supposed to.
One of the reasons why code signing isn't as broadly adopted today as it could be is perhaps due to the fact that, as of yet, there are no minimum baseline standards set for CAs on how the code signing infrastructure and process should work. The CAB Forum is now working on a public draft of baseline requirements for code signing certificates, Jeremy Rowley, Associate General Counsel at DigiCert, told eWEEK.