Keeping Trusted Applications Safe on Enterprise Desktop and Mobile with Symantec Code Signing Lee-Lin Thye Senior Product Marketing Manager
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Keeping Trusted Applications Safe on Enterprise Desktop and Mobile with Symantec Code Signing
Lee-Lin Thye Senior Product Marketing Manager
SYMANTEC VISION 2013
IT Security Risks and Technology Trends
Symantec Code and Application Signing Services
Source: Ponemon 2013 Sate of Endpoint Security Research
SYMANTEC VISION 2013
What Are the Basics of Code Signing?
Code signing creates a digital "shrink-wrap" for secure distribution of code and content over the Internet
Vetting and approval of the developer
Verify the integrity of an application
Grant access to run or download an application based on the digital signature
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
What Is the Value of Code Signing?
Protect your code integrity and reputation
• Digital signatures contain proof of content integrity so that your code cannot be altered and distributed with unapproved changes
• If the hash used to sign the application matches the hash on a downloaded application, the code integrity is intact
Code Integrity 1
Security Warnings 2
Mobile & Malware 3
Certificate Revocation 4
TImestamps 5
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
What Is the Value of Code Signing?
Reduce security warnings with a trusted CA
• Choosing a CA with high root ubiquity is important – Root certificates should come preinstalled on most devices and are embedded in most applications
• This allows for your code to be automatically accepted for a seamless download
Code Integrity 1
Security Warnings 2
Mobile & Malware 3
Certificate Revocation 4
TImestamps 5
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
User Experience – Installing desktop apps on Windows
With Unsigned Application
With Signed Application
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
What Is the Value of Code Signing?
Mobile & Malware trends make code signing more important than ever
• More people access information via mobile applications than ever before – and all major mobile platforms require code to be signed
• Sophisticated malware proliferation continues to grow at an alarming rate – proper code signing can help prevent malware infection in your code
Code Integrity 1
Certificate Revocation 4
TImestamps 5
Security Warnings 2
Mobile & Malware 3
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
Malware in the Android Environment An example of popular application mimicry
“Android Apps Get Hit With the Evil Twin Routine” – Symantec, 4/24/2012 http://www.symantec.com/connect/blogs/android-apps-get-hit-evil-twin-routine-part-1
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
Symantec Code Signing for Android
• Sign .apk files for Android, optimize with zipalign tool
• Securely retain signing keys and keep them easily accessible
• Dedicated Symantec root certificate for Android
• Generate new keys per Android SDK requirements
• Unlimited signing
• Management of private keys and applications, as well as signing activity, all in one portal
• Easy application version updates
• Full reporting and auditing ability to closely track signing activity
• Authentication by Symantec, for organizations or individuals
Features Benefits
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
What Is the Value of Code Signing?
Ability to revoke a certificate is “good housekeeping”
• If a signing certificate is stolen, lost or no longer needed, a good house cleaning rule is to revoke your certificate
• This will ensure that it cannot be used for future signings as the applications will no longer be trusted
Code Integrity 1
TImestamps 5
Security Warnings 2
Certificate Revocation 4
Mobile & Malware 3
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
What Is the Value of Code Signing?
Protect functionality of older applications by properly timestamping
• Your code will remain valid even if your code signing certificate expires, because the validity of the code signing certificate at the time of the digital signature can be verified
Code Integrity 1
Security Warnings 2
Mobile & Malware 3
TImestamps 5
Certificate Revocation 4
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
What Is the Value of Code Signing?
Bottom Line:
Ensure a safe, secure experience for your customers
• Minimize security warnings and installation failures while maximizing code distribution and revenue potential.
• Signing your code ensures that it has not been tampered with and that it comes from you.
Code Integrity 1
Security Warnings 2
Mobile & Malware 3
Certificate Revocation 4
TImestamps 5
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
What defines Symantec’s market leadership in the code signing and application security space?
7 out of every 10 code signing certificate is issued by Symantec
Windows Phone Brew AT&T Java Mobile Android Widget Signing
API and Web Portal Unique Signing Keys Multiple Signing Types Reports and Auditing Test House Integration
Microsoft Authenticode Microsoft Office & VBA
Java Adobe AIR
Mac
EV Certificates Time Stamping
OCSP / CRLs Revocation Service
Symantec Threat Intel Developer Vetting
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
Hosted Signing
Code Signing Portal
Customizable Turnkey Solution for App Stores / Providers and OEMs
Visibility and Control of all Certificates in the Ecosystem
Authenticate Identity of Publishers and Enforce Accountability
Certificate Validation via OCSP or CRL to Minimize Potential Security Breaches
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
How Does the Symantec Code Signing Portal (Hosted Signing) Work?
Certificate Authority With Trusted Roots
Private Key Public Key
1 Certificate
Content Authenticate Publisher’s
Identity
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
How Does the Symantec Code Signing Portal Work?
Certificate Authority With Trusted Roots
Private Key Public Key
1 Certificate
Content
Separate content CA-Unique Cert for
Each Application
2
Authenticate Publisher’s Identity
Unsigned Content
4 Authenticate Content Identity
3
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
How Does the Symantec Code Signing Portal Work?
Certificate Authority With Trusted Roots
Private Key Public Key
1 Certificate
Content
Separate content CA-Unique Cert for
Each Application
2
Authenticate Publisher’s Identity
Unsigned Content
4 Authenticate Content Identity
3
Verify Signature • Trusted • Valid OCSP/CRL Repository
5
Response
Request Signed Content
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
Takeaways
Symantec Code Signing and Application Security
• Ensures applications have not been tampered with
• Limits warnings for customers who want to download your software
• Verifies the author of the software
Code Signing is an important, baseline part of distributing software
• Use of APIs for developer vetting and signing
• Unique signing keys and use of many signing types
• Test House integration
• Full activity reporting and auditing
Symantec’s Hosted Signing Service integrates with your environment
Symantec Code and Application Signing Services
SYMANTEC VISION 2013
Get in Touch to Learn More
Follow us
@NortonSecured
Read our SSL blog
http://www.symantec.com/connect/blogs/website-security-solutions
Like us
www.facebook.com/SymantecWebsiteSecuritySolutions
More resources
Symantec Code Signing go.symantec.com/code-signing
Symantec Code and Application Signing Services
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2013 Symantec Corporation. All rights reserved.
Thank you!
• Lee-Lin Thye
• 650-527-9474
Symantec Code and Application Signing Services
Related Documents
