Fortify Software Identifies and Protects Against New Class of Vulnerabilities — Cross–Build Injection — Tied To Open Source Software

Enterprises using open source software for custom applications could unknowingly integrate exploits; Latest rulepack update protects against new attacks

PALO ALTO, Calif., October 9, 2007 - Fortify Software, the market leader in enterprise application security solutions, today announced that Fortify’s Security Research Group has identified a new class of security vulnerabilities, known as cross–build injection. These vulnerabilities, which Fortify discovered through its work with the Java Open Review (JOR) project (opensource.fortify.com), allow a hacker to insert code into the target program while it is being constructed. In order to educate the industry and protect its customers, Fortify has released a whitepaper detailing this new class of vulnerabilities, as well as an update to the Fortify Secure Coding Rulepacks that enables developers and security professionals to eliminate these vulnerabilities. In addition, the rulepack update includes support for the Common Weakness Enumeration (CWE) standard and LDAP injection vulnerabilities.

The whitepaper, “Attacking the Build through Cross–Build Injection” can be found here.

“This new class of vulnerabilities highlights the increasing amount of attention hackers are paying to software development as a means of entry into enterprise systems,” said Brian Chess, Fortify’s founder and Chief Scientist. “Instead of exploiting vulnerabilities in applications that are already deployed, attackers can subvert the development process by inserting holes before the software is complete. This has happened in the past and the newest build tools are causing enterprises to be much more vulnerable to this type of attack today.”

Automated and repeatable systems for compiling code were created to simplify and facilitate the software development process; however, they have also opened the doors to possible system–wide exploits. If an attacker compromises either the server that hosts a component or the DNS server that the build machine uses to locate that server, the attacker can leverage these vulnerabilities to take full control of the build machine and possibly other machines on the remote network.

Cross–build injection attacks are the latest type of threat facing developers and security professionals. Fortify’s Security Research Group discovered that during the application build process, systems that automatically download external dependencies–including the popular build tools Ant, Maven and Ivy–were particularly vulnerable. Fortify’s research concluded that by subverting the build process, hackers could compromise the basic source for the project and replace it with a version that included malicious components, such as Trojan horses and other malware. While external dependencies and open source components do not necessarily represent an unacceptable security risk, Fortify’s researchers demonstrate that they deserve proper vetting to ensure that they do not compromise the security of applications that make use of them.

“This update to Fortify’s Secure Coding Rulepacks underscores our commitment to providing the most up–to–date security offering available to protect our customers from attacks,” said Jacob West, Manager of Fortify’s Security Research Group. “Moreover, our ongoing contributions to the Java Open Review project enable us to continue our support of the open source community and consumers of open source software.”

In addition to protecting against cross–build injection attacks, the rulepack update extends Fortify’s security offering with the following:

• Support for the emerging CWE standard–an effort aimed at creating a common language for identifying software vulnerabilities–by cross–referencing Fortify vulnerability descriptions with CWE entries.
• Support for identifying both LDAP injection and LDAP manipulation vulnerabilities in the most popular LDAP APIs for Java, .NET and C/C++, including JNDI, Microsoft Windows API and Directory services, Netscape LDAP API and Spring Framework. These vulnerabilities occur when a program mistakenly constructs a dynamic LDAP statement with user input, which can allow an attacker to modify the statement’s meaning or execute arbitrary LDAP commands.

Fortify’s Security Research Group, a team of software security experts that focuses on identifying new threats and developing ways to protect against them, developed and integrated these new rules. Thanks to their efforts, Fortify continues to lead the industry in identifying threats and developing solutions to address them. A full listing of security vulnerability categories can be viewed at http://www.fortify.com/vulncat/.

The rules developed by the Security Research Group are incorporated into Fortify’s suite of products:

• Fortify® SCA — The world’s most proven and widely used source code security analysis solution
• Fortify® Defender — A contextual Web application firewall that operates inside the application to provide the most accurate and comprehensive protection
• Fortify® Tracer — An essential tool for improving application penetration tests; providing the exact line of code for each vulnerability and identifying parts of the application the test failed to reach

This rulepack update is one of the many benefits reaped from Fortify’s continued work with JOR to remediate security vulnerabilities and quality bugs in widely–used open source code. Through JOR, Fortify continuously analyzes more than 100 open source projects comprised of more than 40 million lines of code and has identified 494 confirmed defects. A few of the most noteworthy projects that participate in JOR included Apache Commons, Azureus, DWR, Google Web Toolkit (GWT), Hibernate, Spring, Struts and Zimbra.

About the Java Open Review Project

The Java Open Review (JOR) project was established in December 2006 to boost quality and security in open source software written in Java, one of the fastest growing programming languages used by open source software developers. Through the discovery and reporting of bugs and security vulnerabilities before they become major issues, JOR offers project owners a full analysis of their code so they can quickly act on the findings, while offering consumers a means to gauge the level of risk involved in various open source components. JOR is the only forum dedicated to finding issues in open source Java code.

JOR, which practices responsible disclosure, invites the open source software community to submit their Java software projects for a quality and security review. The efforts are being led by qualified volunteers using Fortify Source Code Analysis–the world’s most proven and widely used source code security analysis solution–and FindBugs, which has been downloaded more than 350,000 times, is used by hundreds of leading global companies to pinpoint quality issues within Java code.

More information is available at http://opensource.fortify.com.

About Fortify Software, Inc.

Fortify® Software products protect companies from the threats posed by security flaws in business-critical software applications. Its software security products–Fortify SCA, Fortify Manager, Fortify Tracer and Fortify Defender–drive down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software’s customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e–commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world–class teams of software security experts and partners. More information is available at www.fortify.com.

Press Contacts - Fortify

North America: Lisa Eskey, Sterling Communications, 1-408-884-5157, leskey@sterlingpr.com
UK: Laura Mead, Johnson King Public Relations, +44 (0) 20 7357 7799, lauram@johnsonking.co.uk
Austria, Germany and Switzerland: Ingrid Daschner, Johnson King Public Relations, +49 (0) 894085-11, ingridd@johnsonking.de