Attackers have long targeted application vulnerabilities in order to breach systems and steal data. Recently they’ve been skipping a step and going directly after the tools developers use to actually build those applications.
Infecting the tools developers use makes for a very juicy target for attackers, as well as a dangerous and significant threat to enterprises. Consider the brute force attacks that targeted the popular source code repository GitHub in 2013. After numerous accounts had been compromised, GitHub banned what it considers weak passwords and implemented rate limiting for logon attempts.
That GitHub attack and the attack on Xcode aren’t isolated incidents. Recently, Apple acknowledged that its App Store endured a significant breach involving thousands of apps. The compromise was made possible when Chinese developers downloaded counterfeit copies of Xcode that were tainted with malware dubbed XcodeGhost. While Apple removed the infected apps, more than 4,000 tainted apps have been estimated to have made it into the App Store.
Wolfgang Goerlich, a strategist with IT risk management firm ,CBI, explains why the recent spate of attacks on Apple’s development tools are notable. “The number of OS X computers continues to rise in the enterprise environment,” he says. “Few organisations are considering Macs from a security perspective as the numbers have long been small and most security controls are Windows-based,” he says.
“These types of attacks – infecting the compiler – used to be considered a potential threat by high security governmental organisations. You would be considered paranoid to present such a scenario as something that could impact the general public. And yet here we are,” says Yossi Naar, Co-founder of Cybereason.
“From a development perspective, the best practices in continuous integration and deployment would have prevented the attack against Apple’s App Store,” says Goerlich.
Chris Camejo, Director of Threat and Vulnerability Analysis for NTT Com Security, agrees. “This should be obvious, but developers should only use software from trusted sources like a vendor’s website or official app store, or verify that software packages they’ve downloaded haven’t been tampered with by verifying the software’s digital signatures when available,“ he says.
Sri Ramanathan, CTO, Kony, says the same holds true for open source software. “To protect developers, enterprises need to ensure that any software used has been vetted and certified as safe for use,” he says. When it comes to Kony’s development environment, Ramanathan says that Kony developers working on a product cannot use open source unless its specifically approved, and that every piece of software is dynamically scanned prior to and after being approved for use.
“We also use a battery of internal and external pen tests to periodically certify all our runtimes. And we ensure that any open source software we use originates from a vibrant trusted community, and is actively supported, does not have too many known security flaws and is well documented,” Ramanathan explains.
For enterprises, it’s important that developers and the software development chain be protected like any other users and assets, perhaps more so in many instances. “For other tool chains, particularly open-source, it is important to verify the authenticity of the software before you use it,” says Bobby Kuzma, CISSP, Systems Engineer, Core Security. “Most open-source projects provide cryptographic hashes that you can use to verify the authenticity of downloaded software. Treating build servers as secure systems, with advanced security controls, similar to what should be used when dealing with sensitive cryptographic materials will help gain control against this type of threat,” he adds.
Enterprises need to make certain developers work in a clean environment using separate systems for development from those used in building apps, adds Goerlich. “The build machine is then kept in a secure hardened state, with the compiling automated. Even if the developers download malicious code such as XcodeGhost on their computers, the build computer is kept clean and what is submitted to the App Store is protected,” he says.
“For enterprises, strong network security management that monitors for malware connecting out to command-and-control computers is the first line of defense when identifying attacks like XcodeGhost,” Goerlich adds.