This in turn, could allow a malicious user to compromise the component hosting or domain name system server, and use this to take control of the build machine and other computers on the remote network, experts at Fortify said.
"This new class of vulnerabilities highlights the increasing amount of attention hackers are paying to software development as a means of entry into enterprise systems," said Brian Chess, founder and chief scientist at Fortify.
"Instead of exploiting vulnerabilities in applications that are already deployed, attackers can subvert the development process by inserting holes before the software is complete," he added.
Systems that automatically download external dependencies, such as the build tools Ant, Maven and Ivy, are particularly vulnerable, Fortify claimed.
The security company has updated its secure coding rulepacks in an attempt to tackle the flaws and has released a white paper on the attacks.
_(37).jpg&h=140&w=231&c=1&s=0)
Cyber Resilience Summit
iTnews Executive Retreat - Security Leaders Edition
Huntress + Eftsure Virtual Event -Fighting A New Frontier of Cyber-Fraud: How Leaders Can Work Together
iTnews Cloud Covered Breakfast Summit
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
_(1).jpg&h=140&w=231&c=1&s=0)
