How SolarWinds Busted Up Our Assumptions About Code Signing

From darkreading.com

US government software provider SolarWinds confirms it was hacked -  SiliconANGLE

With so much automation in code writing process, results are rarely double-checked, which opens the door to vulnerabilities and downright danger.

As the fallout from the SolarWinds hack broadens, we continue to learn more about just how it happened in the first place. There have now been four malware strains identified, one being Sunspot, which was installed on the SolarWinds build server that developers use to piece together software applications.

When it comes to software supply chains, code signing is a commonly used practice to indicate the provenance of software. In theory, the process validates the authenticity and integrity of the code. But as we all now know, that isn’t always the case. 

Read more…