Cryptographic verification of executables is a core security feature that many third-party developers and security personnel have learned to trust. During this talk, the speaker will cover the most recent Apple code signing bug that was found to affect everyone that uses Apple’s documented APIs for conducting code signing checks of signed applications. This will include the methodology for finding the issue, the reporting process, working with vendors, and a path forward for organizations that use Apple code signing as a measure of trust.
Josh Pitts is a Senior Penetration Testing Engineer at Okta with over 15 years’ experience conducting physical and IT security assessments, IT security operations support, penetration testing, malware analysis, reverse engineering and forensics. He also served in the Marines working in SIGINT during the last part of the 20th Century. He likes to write low level code and flip bits for fun. Sometimes this leads to the discovery of funny bugs and to Russians patching stuff over the Internet.