Fortify Identifies Vulnerabilities in Open Source Software

Fortify Software announced that Fortify’s Security Research Group has identified a new class of security vulnerabilities, known as cross–build injection. These vulnerabilities, which Fortify discovered through its work with the Java Open Review (JOR) project (, allow a hacker to insert code into the target program while it is being constructed. In order to educate the industry and protect its customers, Fortify has released a whitepaper detailing this new class of vulnerabilities, as well as an update to the Fortify Secure Coding Rulepacks that enables developers and security professionals to eliminate these vulnerabilities. In addition, the rulepack update includes support for the Common Weakness Enumeration (CWE) standard and LDAP injection vulnerabilities.

The whitepaper, “Attacking the Build through Cross–Build Injection” can be found here.

“This new class of vulnerabilities highlights the increasing amount of attention hackers are paying to software development as a means of entry into enterprise systems,” said Brian Chess, Fortify’s founder and Chief Scientist. “Instead of exploiting vulnerabilities in applications that are already deployed, attackers can subvert the development process by inserting holes before the software is complete. This has happened in the past and the newest build tools are causing enterprises to be much more vulnerable to this type of attack today.”

Automated and repeatable systems for compiling code were created to simplify and facilitate the software development process; however, they have also opened the doors to possible system–wide exploits. If an attacker compromises either the server that hosts a component or the DNS server that the build machine uses to locate that server, the attacker can leverage these vulnerabilities to take full control of the build machine and possibly other machines on the remote network.

Cross–build injection attacks are the latest type of threat facing developers and security professionals. Fortify’s Security Research Group discovered that during the application build process, systems that automatically download external dependencies–including the popular build tools Ant, Maven and Ivy–were particularly vulnerable. Fortify’s research concluded that by subverting the build process, hackers could compromise the basic source for the project and replace it with a version that included malicious components, such as Trojan horses and other malware. While external dependencies and open source components do not necessarily represent an unacceptable security risk, Fortify’s researchers demonstrate that they deserve proper vetting to ensure that they do not compromise the security of applications that make use of them.

“This update to Fortify’s Secure Coding Rulepacks underscores our commitment to providing the most up–to–date security offering available to protect our customers from attacks,” said Jacob West, Manager of Fortify’s Security Research Group. “Moreover, our ongoing contributions to the Java Open Review project enable us to continue our support of the open source community and consumers of open source software."