It's week 2 of the National Cyber Security Awareness Month (NCSAM). And, to help promote cyber security awareness, DigiCert is posting a blog post once a week in coordination with that week's theme as well as daily security tips on social media. To see our daily tips, follow us on Facebook, Google+, and Twitter.
This week's theme for the NCSAM is "Secure development of IT products." And, while secure development is important, it may not matter to your end-users if the code is tampered with while it's on its way to them.
Let's look at a real life example. When you go shopping for milk, a red flag goes off in your head if the seal is broken. You probably wouldn't buy that milk carton, and you might even reconsider shopping at that grocery store again. Even if everything else about the carton and the milk inside seemed fine, chances are no one is going to buy it.
This is because that seal is the sign that the milk inside has not been touched since it left the facility where it was bottled. And, without it, your trust in that carton and even that brand may be called to question.
Just as with the seal on the carton, unsigned code is suspiciously viewed by end-users. Users are growing more and more suspicious of anything downloaded from the Internet, which isn't surprising considering the increase in phishing emails (6.8% from 2013) and other phishing attempts that prompt users to download an item or click on an attachment.
Signing code with a Code Signing Certificate creates a digital signature to verify the identity of the original code developer. Developers can digitally sign their application with a Code Signing Certificate from a Certificate Authority (CA), showing the user that the code has not been tampered with by a malicious third party. If the code was corrupted or if the application has not been signed, the user will be bombarded by frightening warning messages when they try to open the application.
However, the benefits of code signing don’t end with avoiding warning messages. By signing your code you are not only safeguarding your customer’s information, but you are also safeguarding your reputation. If an end-user downloads your application and it infects their system with malware or spam they will lose trust in your application, doing permanent damage to your brand.
To obtain a Code Signing Certificate, a developer applies for the certificate from a CA. The CA verifies the developer’s identity and provides them with a Code Signing Certificate.
Once the developer has the certificate, they must also download a code signing engine. Using the code signing engine, the developer selects the code that they want to sign and signs it with their certificate token. Once signed, the code will contain a timestamp as well as the developer's (or company's) information so that users know where the code is from and that it hasn't been tampered with since it was signed.