This in turn, could allow a malicious user to compromise the component hosting or domain name system server, and use this to take control of the build machine and other computers on the remote network, experts at Fortify said.
"This new class of vulnerabilities highlights the increasing amount of attention hackers are paying to software development as a means of entry into enterprise systems," said Brian Chess, founder and chief scientist at Fortify.
"Instead of exploiting vulnerabilities in applications that are already deployed, attackers can subvert the development process by inserting holes before the software is complete," he added.
Systems that automatically download external dependencies, such as the build tools Ant, Maven and Ivy, are particularly vulnerable, Fortify claimed.
The security company has updated its secure coding rulepacks in an attempt to tackle the flaws and has released a white paper on the attacks.
.png&h=140&w=231&c=1&s=0)
.png&w=100&c=1&s=0)
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
Digital Leadership Day Federal
Government Cyber Security Showcase Federal
Government Innovation Showcase Federal
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
