Not Caring About Code Signing is a Billion Dollar Mistake ft. Stefan Wenig
In this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson is joined by Stefan Wenig, CEO and CTO at SignPath, to discuss why code signing must be treated as a complete business process, not simply a matter of managing keys and certificates. Together, they explore how changing baseline requirements are reshaping code signing, why organizations need greater visibility into their certificate landscapes and how centralized infrastructure can bring development, operations and security teams into alignment.
In this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson is joined by Stefan Wenig, CEO and CTO at SignPath, to discuss why code signing must be treated as a complete business process, not simply a matter of managing keys and certificates.
They explore how changing baseline requirements are reshaping code signing, why organizations need greater visibility into their certificate landscapes, and how centralized infrastructure can bring development, operations, and security teams into alignment.
What You’ll Learn:
- Why code signing is a wider security and operational process
- How evolving baseline requirements are changing code signing practices
- Why visibility into keys and certificates must come before greater control
- How centralized procurement and infrastructure reduce security gaps
- Why crypto agility is essential for post-quantum readiness
Stefan Wenig is the CEO and CTO of SignPath. He specializes in code signing, secure software development, certificate management and the infrastructure organizations need to protect their software supply chains. Through his work, Stefan helps organizations bring greater visibility, flexibility and centralized control to signing processes that often span development, security and operations teams.
If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are
here.
Episode Resources:
Key Takeaways:
- [00:59] Code Signing Is a Complete Process
Code signing cannot be reduced to isolated key management or certificate management decisions. It sits inside a much larger system involving secure software development, DevOps, operations and multiple teams with different responsibilities. Security depends on those smaller practices working together rather than being handled independently.
- [02:17] Baseline Requirements Are Raising the Standard
Changes to FIPS requirements have strengthened expectations around how code signing keys are stored. Dedicated, certified devices make it harder for private keys to be copied or stolen. Certificate validity periods have also shortened, increasing the operational pressure on organizations that still manage certificates manually.
- [03:45] Crypto Agility Cannot Wait for Quantum Computing
Nobody knows exactly when quantum computers will be capable of breaking today’s cryptographic algorithms. That uncertainty does not remove the need to prepare. Organizations need signing infrastructure that can switch algorithms quickly and support the move toward quantum-safe standards as platforms adopt them.
- [07:32] Centralization Reduces Hidden Security Gaps
Certificate procurement, key issuance, and signing access should flow through a centralized process. Without it, development teams may create direct arrangements with operations teams or purchase certificates from providers without the security team knowing. Centralized infrastructure creates a clear source of truth and makes access easier to audit.
Quotes:
- “Code signing is a process much more than any isolated key management or certificate management issue.”
- “It’s important to lay it out for everybody who’s involved and make sure that all the little practices really work together to achieve the ultimate goal of security.”
- “We don’t know when quantum computers will be able to actually break codes, but we have to prepare.”
- “Every organization should prepare in every aspect of their crypto procedures to be able to switch to quantum-safe algorithms.”
- “If you don’t know where your keys are, if you don’t know what certificates have been issued in your organization’s name, then you’re basically sitting ducks.”
- “Whenever somebody needs a key or certificate, it has to go through some kind of central infrastructure and some kind of centralized process.”