Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Security No-Brainer #4: EV-Certificates for ISVs

by Neil MacDonald  |  May 1, 2009  |  2 Comments

Let me summarize my security no-brainers to date:

The first was in reference to a global, industry-wide effort to create a shareable, standards-based application whitelist database built directly from feeds from ISVs.

The second was in reference to the use of whitelisting in the hypervisor/VMM (especially the “parent” or Dom0 partition) layer to prevent the execution of unauthorized code in this security-sensitive layer.

The third was advocating the use of measurements of trust for virtualization software (starting with hypervisors and virtual machine monitors).

As I continue to research application control / application whitelisting technologies, one of the ways to help with the automation and update of the whitelist of allowed applications a user can execute is to define a higher-level policy such as “let any application that has been digitally signed by Microsoft run”. Many of the application control vendors I cover support this capability. So in essence, we whitelist the vendors whose code we want to allow to run rather than whitelist application by application.

But what about code that is signed by a vendor that we haven’t seen before? Of course, bad guys can obtain a certificate from legitimate CAs and digitally sign their code (and they can use company names that sound quite legitimate). So why not set a higher bar for ISVs to obtain certificates just like we’ve done on the Web with Extended Validation SSL Certificates (EV-Certs). I’m no pollyanna. EV-Certs don’t solve every problem on the Web and they certainly won’t solve every problem for application control (e.g. they don’t say anything about the quality of the website or of the code) — but it would be a step forward.

Some organizations with more permissive policies might set a policy that says “let any application digitally signed with an EV-Cert run”. Others will be more restrictive. If an organization runs into an unknown application written by an unknown vendor, the fact that the application was signed by an ISV using an EV-Cert would be just one more factor in an overall assessment in the trustability of the the application.

The benefits go beyond application control. For example, on 64 bit Windows, Microsoft requires the use of digitally signed device drivers as an extra precaution against malicious drivers. An extra level of confidence in the source of the drivers using EV-Certs would help here as well.

2 Comments »

Category: Application Security Beyond Anti-Virus     Tags: , ,

2 responses so far ↓

  • 1 Raj Rajamani   May 5, 2009 at 6:55 pm

    Neil,
    Good observation and suggestion. Solidcore has one of the most advanced runtime capabilities that allows administrators to accept signatures from various sources. Many popular Point-of-Sale manufacturers and ATM vendors use very restrictive policies – in fact, they will allow updates only when it is signed by two entities – 1. the vendor, and 2. the organization that has purchased/leased the device from the vendor.

    Our customers adopt a very different approach to allow applications from an unknown vendor to run. I would love to talk about it, but cannot do so on a public blog. Call me if you want to know how we do this.

    Thanks,
    Raj

  • 2 Jason   May 12, 2009 at 7:41 am

    Yeah it’s insanely easy for badguys.com to obtain the “average” SSL cert these days. EV SSL allows for a more robust security and the additional vetting process proves to customers that you are you who say you are.