Apiiro security researchers recently announced the release of open-source tools aimed at assisting organizations in detecting malicious code within their software development lifecycle. The tools, named PRevent and a malicious code detection ruleset for Semgrep and Opengrep static code analysis tools, are designed to combat the increasing threat of malicious code infiltrating repositories and packages.
The researchers identified two key anti-patterns after analyzing a large number of instances of malicious code: obfuscated or unreadable source code, and dynamic execution, which refers to code execution at runtime rather than at build or compile time. By focusing on coding anti-patterns that are rare in typical codebases but common in malicious code, the tools aim to provide a more accurate detection mechanism.
Matan Giladi, a security researcher at Apiiro, explained that while some malicious patterns may be common in legitimate code and could lead to false positives, the tools specifically target patterns that deviate from best practices and are prevalent in malicious code.
The malicious code detection ruleset, available on GitHub, encompasses rules for detecting the identified anti-patterns in code written in 15 programming languages. It is designed to be integrated into any CI/CD pipeline, allowing for detection at various stages of the software development process, such as build, testing, pre-deployment, and production.
On the other hand, PRevent is a tool triggered by pull request events on GitHub. It scans pull requests for malicious code and comments directly within them. Developers can create the tool within their GitHub organization or account and deploy it to a server. PRevent communicates with GitHub and offers additional features such as excluding or including specific repositories and branches from the scan, blocking merging until reviewer approval, and triggering code reviews from designated reviewers.
Giladi emphasized the importance of correct workflows in utilizing these tools effectively. While the detection of dynamic execution and obfuscation is robust, ensuring proper scanning of code is crucial for effective defense against malicious code. For example, Giladi noted that while the ruleset correctly flags the xz backdoor payload, without the right workflow in place, the code may not be scanned. Scanning pull requests serves as a foundational step in the process.
Overall, the release of these tools represents a proactive approach to enhancing security within the software development lifecycle. By leveraging advanced detection mechanisms and integrating them into existing workflows, organizations can strengthen their defenses against malicious code and mitigate potential risks associated with it. As the threat landscape continues to evolve, tools like PRevent and the malicious code detection ruleset play a critical role in safeguarding software development processes from malicious intent.