Code Signing: A Security Control That Isn’t Secured

  • Date 20 Nov 2019 - Wednesday

Code Signing: A Security Control That Isn’t Secured

20 Nov 2019, 10:00 - 10:50

Track 2: Cyber threat intelligence & technologies
Language:
English

Enterprises use code-signing but overlook securing the infrastructure that supports the signing process. Learn poor practices that result in operational inefficiencies and security risks and how to create a scalable, secure code-signing ecosystem.

After this session you will be able to:

  • Understand the ecosystem that surrounds the issuance of code-signing that must be orchestrated accurately to ensure code-signing certificates are secure and apply this to assess weaknesses in their own code-signing infrastructure and processes.
  • Identify the four main poor practices applied to code-signing infrastructure, including decentralized control, a lack of policy enforcement around access rights, a lack of visibility and accountability, and insufficient knowledge/expertise.
  • Recognize operational inefficiencies and security risks that result from poor practices, such as failing to meet the volume and velocity of signing demand, inconsistent policy enforcement, and certificates and keys scattered across the enterprise.
  • Know how to create a scalable and secure code-signing infrastructure that considers the broader ecosystem, including signing operations and models, inter-organizational communications, process and policies, and certificates issuance and management.

 

Contributors

  • Jing Xie

    Speaker

    Threat Intel Analyst

    Venafi

    Dr. Jing Xie is the senior threat intelligence researcher for Venafi, the market leading cybersecurity company in machine identity protection. As a...

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies.