New Open-Source Tools Give CISOs Weapons Against Malicious Code

Despite an abundance of security systems, there remains a lack of adequate defenses against malicious code attacks.

Application security company Apiiro announced Wednesday that it released a set of open-source tools that it says can help CISOs and their security teams detect and defend against malicious code.

The tools include a malicious code detection ruleset for Semgrap and Opengrep, which is “comprehensive, minimizes false-positives, and focuses solely on the purest forms separating malicious from benign code,” according to a blog post by Apiiro security researcher Matan Giladi.

The other tool is PRvent, an app that scans pull request events and notifies about suspicious code. The app offers “seamless integration, high configurability, and essential orchestration features,” Gilandi wrote.

Apiiro also published research on malicious code attacks. A few key takeaways from the research include:

• Most attacks hide their malicious nature by using a small set of coding anti-patterns — patterns that go against best practices, and are rare in typical codebases, but common in malicious code.

• Obfuscation is a “key” anti-pattern in malicious code and a method used by attackers to conceal their identities. “Developers frequently encounter various forms of unreadable code, making obfuscation an ideal cover,” Appiro researchers said in their research findings.

• Naive dynamic code execution is another malicious code tactic where code is loaded at runtime instead of at build or compile time.

Appiro researchers also weighed in on their findings and reasons for developing and releasing the free, open-source security tools.

“It’s remarkable that we have so many security systems to prevent malicious code execution via vulnerabilities that may not even exist, yet we lack fundamental defenses against malicious code being added directly into our codebase. This needs to change,” Giladi said in his blog post.

“Detection of dynamic execution and obfuscation is simple yet powerful, catching nearly all known incidents and forming a rock-solid foundation for malicious code defense. However, its success hinges on the adoption of correct workflows. For example, our ruleset correctly flags the xz backdoor payload, but without the right workflow, the code just won’t be scanned. Scanning pull requests is a baseline and an essential first step,” the post further stated.