PALO ALTO, Calif. -- Fortify Software, the market leader in enterprise application security solutions, today announced that Fortify's Security Research Group has identified a new class of security vulnerabilities, known as cross-build injection. These vulnerabilities, which Fortify discovered through its work with the Java Open Review (JOR) project (opensource.fortify.com), allow a hacker to insert code into the target program while it is being constructed. In order to educate the industry and protect its customers, Fortify has released a whitepaper detailing this new class of vulnerabilities, as well as an update to the Fortify Secure Coding Rulepacks that enables developers and security professionals to eliminate these vulnerabilities. In addition, the rulepack update includes support for the Common Weakness Enumeration (CWE) standard and LDAP injection vulnerabilities.
The whitepaper, "Attacking the Build through Cross-Build Injection," can be found at http://www.fortifysoftware.com/servlet/downloads/public/fortify_attacking_th e_build.pdf.
"This new class of vulnerabilities highlights the increasing amount of attention hackers are paying to software development as a means of entry into enterprise systems," said Brian Chess, Fortify's founder and Chief Scientist. "Instead of exploiting vulnerabilities in applications that are already deployed, attackers can subvert the development process by inserting holes before the software is complete. This has happened in the past and the newest build tools are causing enterprises to be much more vulnerable to this type of attack today."