Navigating the Future of Secure Code Signing and Cryptography

In today’s interconnected world, the integrity of software has never been more critical. With the increasing reliance on open-source components and the complexities introduced by containerized applications, ensuring trust in software has become a cornerstone of modern security practices.

I had a chance to chat with Eric Mizell, Field CTO and VP of Field Engineering at Keyfactor, to learn about his insights into the evolving landscape of secure code signing and the urgent need for organizations to prepare for post-quantum cryptography (PQC).

The Foundation of Secure Code Signing

Secure code signing has long been the bedrock of software trust, allowing organizations to verify that code originates from a trusted source and has not been tampered with. However, as Mizell points out, “We’re at a point where you can’t even deploy a piece of code or run software on your laptop without ensuring it’s trusted.” The growing adoption of Software Bill of Materials (SBOMs) is a testament to this evolution, helping organizations catalog and verify the components within their software.

Despite these advances, the challenges are daunting. Modern software development often relies heavily on open-source code, with Mizell noting, “Only about 25% of most programs are original code. The rest is a tapestry of dependencies that developers weave together.” This heavy dependence on external modules increases the risk of vulnerabilities, such as those exposed in the infamous Log4j incident.

Preparing for a Post-Quantum World

The urgency of preparing for PQC cannot be overstated. With the National Institute of Standards and Technology (NIST) setting clear deadlines for adopting quantum-safe algorithms—2030 for government interactions and 2035 for full deprecation of RSA and ECC—the clock is ticking. “Waiting until 2030 will be a disaster,” Mizell warns, comparing the situation to the Y2K scramble. “We already know this is coming. There’s no excuse to wait.”

Keyfactor advocates for a proactive approach, starting with customer-facing assets. “Protecting the perimeter first is the best advice we can give today,” Mizell explains. By implementing hybrid certificates that combine legacy algorithms with PQC-safe options, organizations can begin transitioning their infrastructure while minimizing disruption.

The Open-Source and Container Challenge

The widespread use of open-source and containerized applications introduces another layer of complexity. Vulnerabilities in these environments are not just limited to the code itself but extend to the operating systems and application servers within containers. “We’re responsible for all the vulnerabilities in a container,” says Mizell. “Not just our code, but everything it touches.”

Keyfactor addresses these challenges by integrating seamlessly with existing tools, enabling organizations to sign and verify their code without overhauling their workflows. Additionally, protecting private keys through hardware security modules (HSMs) ensures that signing processes remain secure and auditable.

Lessons from Y2K

The parallels between post-quantum cryptography readiness and Y2K are striking. Both involve known challenges with fixed deadlines and the potential for widespread disruption if ignored. Yet, as Mizell highlights, the scale of today’s cryptographic challenges dwarfs Y2K. “Certs are everywhere,” he says. “From web browsers to mobile devices to physical servers, replacing all these certs with PQC-ready versions is a massive undertaking.”

To tackle this, organizations must adopt a phased approach, starting with high-value assets and building PQC labs to test new algorithms and protocols. Continuous scanning and inventory management will be essential to keep pace with the rapidly evolving landscape.

Looking Ahead

The road to secure code signing and PQC readiness is fraught with challenges, but the stakes are too high to ignore. As Mizell aptly puts it, “It’s the stuff you don’t know that causes the most pain.” By prioritizing transparency, leveraging tools like SBOMs, and adopting quantum-safe practices, organizations can lay the foundation for a secure future.

Keyfactor’s role in this journey is pivotal. From enabling seamless integration of secure signing tools to protecting cryptographic keys, they’re empowering organizations to navigate these challenges with confidence. The message is clear: the time to act is now. Delaying preparation for PQC and secure code practices risks creating a cybersecurity debt that no organization can afford to pay.

To learn more about how cryptography is evolving and how to prepare for the changes on the horizon, attend Keyfactor’s Tech Days 2025. Register now.