Another 'Cross' to Bear

Cross-site scripting, cross-site request forgery - and now, cross-build injection (CBI)

5:45 PM -- Yes, it's another vulnerability that starts with the words "cross something-or-other." But before you allow your eyes to glaze over, consider this: You won't even have to make coding mistakes for these bugs to surface in your internal apps. (See Hackers Attack Apps While Still in Development.)

An old problem of attackers putting backdoor malware into open-source development tools is apparently resurfacing. And now it's got a name -- cross-build injection (CBI) -- thanks to Fortify Software.

Fortify decided to dig into the problem after finding out, through its work with the Java Open Review project, just how simple it is for an attacker to insert his own code into an application under development -- using today's more automated development processes.

It was a bit of a shock: "When we were building code for JOR, we realized that we were automatically downloading code from other Web sites," says Brian Chess, CTO at Fortify. "This isn’t a big risk for us because we only analyze the code -- we don’t run it -- but it is a big risk for people who are intending to actually use the projects they’re building."

So while application developers have been under fire for shoddy code-writing (think Website vulns), it turns out the tools they're using to automate the "build" of their apps should be under scrutiny as well.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Fortify Software Inc.
  • Editors' Choice
    Jai Vijayan, Contributing Writer, Dark Reading
    Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading