Page 1 of 1

Adherence to the latest software security standards

Posted: Thu Aug 31, 2023 7:22 am
by Sonideft
As Sonideft has always done, our software files that are distributed to users are digitally signed with a certificate that verifies that the files came from Sonideft Inc.. The certificate is highly encrypted and issued to Sonideft by an internationally recognized Root certificate holder - Sectigo. Windows automatically recognize this certificate in the installation/setup.exe file as a trusted application. Regular update files are also signed with this certificate and are validated by the Java infrastructure prior being used to update Quick Pole. If there are any irregularities at all, Quick Pole will present a Dialog showing the issues/discrepancies with the certificates embedded in the code. In all cases of errors/discrepancies, you should not proceed with the update or install and should contact us for advice. Windows will likewise present a serious looking Dialog and try to prevent you from installing software that does not have a perfect digital certificate attached.

The recent change in the software world for security is to put additional rigor in how these digital certificates are delivered and used. Previously a file was issued to the organization after they pass their intense background checks. It was found that this process had a vulnerability in that this same file, if stolen or leaked, could be used by others to impersonate them. Verisign had one such example. The new process involves the digital certificate being issued only on a hardware device (such as a USB stick). This hardware device must be installed on the computer at the time that it is creating the final update or installation files. This eliminates several software security vulnerabilities.

This new security standard has been implemented at Sonideft. There is nothing that you need to do and you should see no changes as a user. For those interested in more information, please refer to https://cabforum.org/wp-content/uploads/Baseline-Requirements-for-the-Issuance-and-Management-of-Code-Signing.v2.8.pdf