February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« SOA and Security | Main | Absolute Access Corrupts Absolutely »

October 16, 2007
Scary New Class of Security Exploits

I have to say I saw it coming. As exploit after exploit gets closed down for hackers to break into systems, I guess that does not mean that hackers suddenly start looking for a new line of work: what the look for is a new vulnerability to exploit.

Inevitably, the millionth email that tells you you're in dire danger unless you open this email right now simply does not work as well as the first. So what's a criminal to do? According to Fortify's Security Research Group, the new vulnerability allows a hacker to insert nasty code into a program as it is being constructed. Fortify is calling this new exploit 'Cross-Build Injection.'

According to Brian Chess (check out my podcast with him last month), Fortify's founder and Chief Scientist, "This new class of vulnerabilities highlights the increasing amount of attention hackers are paying to software development as a means of entry into enterprise systems. Instead of exploiting vulnerabilities in applications that are already deployed, attackers can subvert the development process by inserting holes before the software is complete. This has happened in the past and the newest build tools are causing enterprises to be much more vulnerable to this type of attack today."

Apparently, the systems that automatically download external dependencies (including popular build tools such as Ant, Maven and Ivy) are especially vulnerable. And by subverting the build process, hackers can actually compromise the very foundation of a project and replace it with something malicious like a Trojan horse or other malware.

While external dependencies don't always represent an unacceptable risk, it is definitely something worth watching out that this does not compromise the security of applications.

"This update to Fortify's Secure Coding Rulepacks underscores our commitment to providing the most up-to-date security offering available to protect our customers from attacks," said Jacob West, Manager of Fortify's Security Research Group. "Moreover, our ongoing contributions to the Java Open Review project enable us to continue our support of the open source community and consumers of open source software."

To read more about it, start here.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2767

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map