Like most good developers, I always take precautions to prevent SQL injection. We’ve also got to worry about cross-site scripting, but now cross-build injection is becoming a concern. Apparently an attacker compromises a server that houses a build component or the DNS server used to find that server. The attacker can then take control of the build machine and inject code into an application while its being built. Am I the only one this frightens? I don’t work on any projects where I’m using a remote server for builds or dependency tracking, but I do use quite a bit of software that’s built on them.
Let’s think of a scenario such as this: I’m using an open source library to handle zipping and unzipping of files in an application I’m deploying to multiple servers in my corporate network. Now let’s say the build or dependency server of the open source library I’m using has been compromised and a trojan has been inserted into the library. Now I’ve unknowingly introduced that trojan to several production servers on my corporate network. Developers and IT departments are obsessed with securing their networks and operating systems, the development stack must secured as well.
It seems the main culprit is automated dependency management system. According to Brian Chess of Fortify Software:
The first and simplest is to refrain from adopting automated dependency management systems altogether. Managing dependencies manually eliminates the potential for unexpected behavior caused by the build system.
While I haven’t heard of an open source project being compromised yet, I don’t think it’s unreasonable to say that the possibility is there. Here’s a link (pdf) to the Fortify Software report detailing the topic.
Leave a Reply