Securing Application Deployment with Obfuscation and Code Signing: How to Create 3 Layers of Protection for .NET Release Build
By Slava Gomzin
()
About this ebook
Booklet for developers and security professionals on how to implement code obfuscation, .NET strong name signing, and Authenticode code signing in order to protect applications deployment. The guide contains detailed description of different code signing implementation options from basic software to sophisticated hardware solution.
Topics include: reasons to implement code obfuscation and signing, obfuscation and strong name signing dependencies, description of Authenticode signing process, singing certificates and certificate authorities, signing certificate private key storage: hardware vs. software, three ways to implement code signing, and more (Article: ~4,460 words).
Table of Contents includes:
1. Introduction
Several Reasons to Implement Code Obfuscation and Signing
Additional Benefits of Strong Name Signing
Additional Benefits of Authenticode Signing
2. Code Obfuscation and Strong Name Signing
Code Obfuscation Tools
Obfuscation Project and Strong Name Signing
Obfuscation and Strong Name Signing from Command Line
3. Authenticode Code Signing
Code Signing
Digital Signatures
How Code Signing Works
Authenticode
Code Signing Certificate
X.509 Standard
Obtaining Code Signing Certificate
Signing Certificate Pricing
Code Signing Certificate Storage: Hardware vs. Software
Time Stamping
Certificate Validity (Expiration Date)
4. Implementing Authenticode Signing
Code Signing Process à la Microsoft
Code Signing Implementation Options: Advantages, Disadvantages, Costs
Option 1: “Full Hardware”
Option 2: “Basic Software”
Option 3: “Combined Software/Hardware”
5. Tips on Implementing “Combined Software/Hardware” Option
Requirements to Signing Application
6. Tips on Implementing “Basic Software” Option
Installing Code Signing Certificate on Signing Server
SignTool
Installing SignTool
Using SignTool
5. Testing
Testing Obfuscation
Testing Strong Name Signatures
Testing Authenticode Signatures
6. Resources
Tools and Products
Authenticode Certificates Offered by Public Certificate Authorities
Online Authenticode Timestamping Services
Standards
Articles
Books
About the Author
Slava Gomzin, CISSP, ECSP, Security+ has more than 15 years of professional experience in software development and application security. He is Security Architect at Retalix USA.
Slava Gomzin
Slava Gomzin is a Security and Payments Technologist at Hewlett-Packard, where he helps create products that are integrated into modern payment processing ecosystems using the latest security and payments technologies. Prior to joining Hewlett-Packard, Slava was a security architect, corporate product security officer, R&D and application security manager, and development team leader at Retalix, a Division of NCR Retail. As PCI ISA, he focused on security and PA-DSS, PCI DSS, and PCI P2PE compliance of POS systems, payment applications, and gateways. Before moving into security, Slava worked in R&D on design and implementation of new products including next-generation POS systems and various interfaces to payment gateways and processors. Slava currently holds CISSP, PCIP, ECSP, and Security+ certifications. He blogs about payment security at www.gomzin.com.
Read more from Slava Gomzin
Hiding Web Traffic with SSH: How to Protect Your Internet Privacy against Corporate Firewall or Insecure Wireless Rating: 0 out of 5 stars0 ratingsSecuring Email Communication: How to Protect Your Correspondence from Wiretapping Using Free Tools Rating: 0 out of 5 stars0 ratingsSecuring .NET Web Services with SSL: How to Protect “Data in Transit” between Client and Remote Server Rating: 0 out of 5 stars0 ratingsProtecting Confidential Information: How to Securely Store Sensitive Data Rating: 0 out of 5 stars0 ratings
Related to Securing Application Deployment with Obfuscation and Code Signing
Related ebooks
Automated Security Analysis of Android and iOS Applications with Mobile Security Framework Rating: 1 out of 5 stars1/5Security Engineering: CISSP, #3 Rating: 0 out of 5 stars0 ratingsSoftware Development Security: CISSP, #8 Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701 Rating: 0 out of 5 stars0 ratingsThe Web Application Hacker's Handbook: Finding and Exploiting Security Flaws Rating: 3 out of 5 stars3/5VMware View Security Essentials Rating: 0 out of 5 stars0 ratingsCybersecurity Incident Response: How to Contain, Eradicate, and Recover from Incidents Rating: 0 out of 5 stars0 ratingsEmail Security Architecture A Clear and Concise Reference Rating: 0 out of 5 stars0 ratingsInfoSecurity 2008 Threat Analysis Rating: 0 out of 5 stars0 ratingsCyber-security regulation Third Edition Rating: 0 out of 5 stars0 ratingsCompTIA Cloud+ Study Guide: Exam CV0-002 Rating: 0 out of 5 stars0 ratingsFinancial Cybersecurity Risk Management: Leadership Perspectives and Guidance for Systems and Institutions Rating: 0 out of 5 stars0 ratingsCombating Spyware in the Enterprise: Discover, Detect, and Eradicate the Internet's Greatest Threat Rating: 4 out of 5 stars4/5OSSEC Host-Based Intrusion Detection Guide Rating: 5 out of 5 stars5/5OWASP A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsSnort Intrusion Detection 2.0 Rating: 4 out of 5 stars4/5Cybersecurity Policy A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsThe Official (ISC)2 Guide to the CCSP CBK Rating: 0 out of 5 stars0 ratingsPCI DSS: An Integrated Data Security Standard Guide Rating: 0 out of 5 stars0 ratingsCompTIA Linux+ Practice Tests: Exam XK0-004 Rating: 0 out of 5 stars0 ratingsCybersecurity Regulations A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsSecuring the Cloud: Cloud Computer Security Techniques and Tactics Rating: 5 out of 5 stars5/5Information Security Governance: A Practical Development and Implementation Approach Rating: 0 out of 5 stars0 ratingsPKI A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsCSA Guide to Cloud Computing: Implementing Cloud Privacy and Security Rating: 0 out of 5 stars0 ratingsSnort Intrusion Detection and Prevention Toolkit Rating: 5 out of 5 stars5/58 Steps to Better Security: A Simple Cyber Resilience Guide for Business Rating: 0 out of 5 stars0 ratingsCracking the Fortress: Bypassing Modern Authentication Mechanism Rating: 0 out of 5 stars0 ratingsOwasp A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsCEH Certified Ethical Hacker Study Guide Rating: 3 out of 5 stars3/5
Security For You
Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsMike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Hacking: Ultimate Beginner's Guide for Computer Hacking in 2018 and Beyond: Hacking in 2018, #1 Rating: 4 out of 5 stars4/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsCybersecurity For Dummies Rating: 4 out of 5 stars4/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5CompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002) Rating: 5 out of 5 stars5/5CompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsDark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Ultimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5IAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratings
Reviews for Securing Application Deployment with Obfuscation and Code Signing
0 ratings0 reviews
Book preview
Securing Application Deployment with Obfuscation and Code Signing - Slava Gomzin
Securing Application Deployment with Obfuscation and Code Signing
How to Create 3 Layers of Protection for .NET Release Build
Application Security Series
Slava Gomzin
Cover Photo and Design: Alisa Levy
Smashwords Edition
Copyright © 2012 Slava Gomzin
Table of Contents
1. Introduction
Several Reasons to Implement Code Obfuscation and Signing
Additional Benefits of Strong Name Signing
Additional Benefits of Authenticode Signing
2. Code Obfuscation and Strong Name Signing
Code Obfuscation Tools
Obfuscation Project and Strong Name Signing
Obfuscation and Strong Name Signing from Command Line
3. Authenticode Code Signing
Code Signing
Digital Signatures
How Code Signing Works
Authenticode
Code Signing Certificate
X.509 Standard
Obtaining Code Signing Certificate
Signing Certificate Pricing
Code Signing Certificate Storage: Hardware vs. Software
Time Stamping
Certificate Validity (Expiration Date)
4. Implementing Authenticode Signing
Code Signing Process à la Microsoft
Code Signing Implementation Options: Advantages, Disadvantages, Costs
Option 1: Full Hardware
Option 2: Basic Software
Option 3: Combined Software/Hardware
5. Tips on Implementing Combined Software/Hardware
Option
Requirements to Signing Application
6. Tips on Implementing Basic Software
Option
Installing Code Signing Certificate on Signing Server
SignTool
Installing SignTool
Using SignTool
5. Testing
Testing Obfuscation
Testing Strong Name Signatures
Testing Authenticode Signatures
6. Resources
Tools and Products
Authenticode Certificates Offered by Public Certificate Authorities
Online Authenticode Timestamping Services
Standards
Articles
Books
About the Author
1. Introduction
One of important characteristics for commercial software is allowing customers to trust the software manufacturer by validating authenticity and integrity of the software components.