Gartner Blog Network

Security No-Brainer #4: EV-Certificates for ISVs

by Neil MacDonald  |  May 1, 2009  |  2 Comments

Let me summarize my security no-brainers to date:

The first was in reference to a global, industry-wide effort to create a shareable, standards-based application whitelist database built directly from feeds from ISVs.

The second was in reference to the use of whitelisting in the hypervisor/VMM (especially the “parent” or Dom0 partition) layer to prevent the execution of unauthorized code in this security-sensitive layer.

The third was advocating the use of measurements of trust for virtualization software (starting with hypervisors and virtual machine monitors).

As I continue to research application control / application whitelisting technologies, one of the ways to help with the automation and update of the whitelist of allowed applications a user can execute is to define a higher-level policy such as “let any application that has been digitally signed by Microsoft run”. Many of the application control vendors I cover support this capability. So in essence, we whitelist the vendors whose code we want to allow to run rather than whitelist application by application.

But what about code that is signed by a vendor that we haven’t seen before? Of course, bad guys can obtain a certificate from legitimate CAs and digitally sign their code (and they can use company names that sound quite legitimate). So why not set a higher bar for ISVs to obtain certificates just like we’ve done on the Web with Extended Validation SSL Certificates (EV-Certs). I’m no pollyanna. EV-Certs don’t solve every problem on the Web and they certainly won’t solve every problem for application control (e.g. they don’t say anything about the quality of the website or of the code) — but it would be a step forward.

Some organizations with more permissive policies might set a policy that says “let any application digitally signed with an EV-Cert run”. Others will be more restrictive. If an organization runs into an unknown application written by an unknown vendor, the fact that the application was signed by an ISV using an EV-Cert would be just one more factor in an overall assessment in the trustability of the the application.

The benefits go beyond application control. For example, on 64 bit Windows, Microsoft requires the use of digitally signed device drivers as an extra precaution against malicious drivers. An extra level of confidence in the source of the drivers using EV-Certs would help here as well.

Category: application-security  beyond-anti-virus  

Tags: application-security  security-no-brainer  whitelisting  

Thoughts on Security No-Brainer #4: EV-Certificates for ISVs

  1. Raj Rajamani says:

    Good observation and suggestion. Solidcore has one of the most advanced runtime capabilities that allows administrators to accept signatures from various sources. Many popular Point-of-Sale manufacturers and ATM vendors use very restrictive policies – in fact, they will allow updates only when it is signed by two entities – 1. the vendor, and 2. the organization that has purchased/leased the device from the vendor.

    Our customers adopt a very different approach to allow applications from an unknown vendor to run. I would love to talk about it, but cannot do so on a public blog. Call me if you want to know how we do this.


  2. Jason says:

    Yeah it’s insanely easy for to obtain the “average” SSL cert these days. EV SSL allows for a more robust security and the additional vetting process proves to customers that you are you who say you are.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.