Blog
Recent PostsFeed
-
Building trusted software for macOSPaul Savoie November 29, 2024
Distributing trusted Apple applications beyond the App Store
Read more -
From Implicit to Explicit: Why Code Signing is the Missing Link in DevSecOpsPaul Savoie September 10, 2024
By eliminating complexity, SignPath delivers a robust and flexible mechanism that fits naturally in modern software supply chains
Read more -
New year, new faces: SignPath expands the market going activitiesKlaus Rathje February 22, 2024
We will boost and expand the market going activities. With this move, we also grow our leadership team.
Read more -
Cybernews interview with our CEO: supply chains and code signingStefan Wenig February 21, 2022
"You can spend millions of dollars for IT security and still become a victim of an attack on a supplier"
Read more -
DP API Encryption Ineffective in Windows ContainersMarc Nimmerrichter March 23, 2021
We discovered that DP API encryption in Windows containers is not secure
Read more -
Experiences with Security Report Handling: The Good and the BadDaniel Ostovary March 23, 2021
On the stark differences of reporting security vulnerabilities between major software vendors
Read more -
Evaluating the Sunburst Hack: Causes and Future PreventionStefan Wenig December 21, 2020
How hackers exploited one ISV's software to reach political targets - and how software industry practices need to improve
Read more -
Unfulfilled Expectations: Revoked Certificates in JAR SigningDaniel Ostovary August 26, 2020
In April we became aware of a conceptual security issue in the JarSigner. The fix will be shipped with the release of JDK 15
Read more -
On the Importance of Trust Validation: Microsoft's Dangerous MistakeDaniel Ostovary August 26, 2020
Our discovery of how Microsoft didn't verify the validity of timestamping certificates on VSIX packages
Read more -
A White Hat Story: Analysis of Secure Variables in AppVeyorDaniel Ostovary December 13, 2019
We discovered that the encryption of AppVeyor secret variables is susceptible to Padding Oracle attacks.
Read more