Software developers have been lionized in recent years for their influence over the information economy. At the Node Summit in San Francisco, California, on Wednesday, Guy Podjarny, CEO and cofounder of security biz Snyk, reminded an audience full of devs that they've become a popular vector for malware distribution.
Programmers, he said "have become far more powerful today than ever before" in terms of their access to information and their reach.
At the same time, he said, they're often overconfident about their susceptibility to attack. He pointed to an internal Salesforce phishing test that found developers were the second most likely group of employees to click on a phishing link. Marketers were the most gullible, apparently.
To underscore that point, he recounted the 2013 hack of The Financial Times by the Syrian Electronic Army and an analysis posted by developer Andrew Betts, then director of FT Labs, that acknowledges as much.
"Developers might well think they’d be wise to all this – and I thought I was," Betts wrote.
To highlight the risk, Podjarny reviewed several examples in which developers propagated malware.
Apple's XCode IDE, presently a hefty 5.3GB, weighed in at about 3GB in 2015, he said. That was still too much for programmers in China who had to endure slow download speeds due the country's Great Firewall. In response, someone placed a copy of XCode on a Baidu file sharing site, however, the software had been altered to include compiler malware called XCodeGhost.
XCodeGhost iOS infection toll rises from 39 to a WHOPPING 4,000 appsREAD MORE
The malware, which went undetected for four months and compromised hundreds of apps, modified a CoreServices object file with malicious code that infected iOS apps during compilation. It created extra interface elements designed to capture personal information.
"What's interesting is how it propagated," said Podjarny. "CoreServices not an executable. It is a library linked by the LLVM linker."
Developers in effect were the distribution mechanism. They were the virus.
Malware exploiting developers and their tools goes back further still, Podjarny said. There was a similar attack on the Delphi compiler in 2009, known as Induc. And back in 1984, computing luminary Ken Thompson, wrote a paper, "Reflections on Trusting Trust," describing how he created a C compiler that automatically inserted a backdoor in the programs it created.
"The moral is obvious," Thompson wrote. "You can't trust code that you did not totally create yourself."
That sentiment poses a particular problem for the Node.js community, where developers often rely on dozens or hundreds of code libraries (each of which may incorporate other libraries) written by someone else.
Developer David Gilbertson touched on the issue in a blog post in January about how easy it would be to create an npm package to steal credit card data. And there have been several attacks on npm and other developer resources like Pypi and RubyGems in recent years.
Podjarny offered several mitigation strategies. He advocated automating security controls, as Apple and npm have done with malware scans, and adopting multi-factor authentication for accounts. Organizations, he said, should make it easy to be secure, by auto-expiring access tokens for example. And they should do more to educate developers about security.
Vladimir de Turckheim, lead Node.js engineer for security monitoring biz Sqreen, echoed this point in the session that followed, a roundtable discussion of Node.js security. "We are not good at evangelizing good practices in terms of coding," he said.
Podjarny, also participating in the roundtable discussion, joked about that his CTO recently gave a presentation titled, "Stack Overflow, the vulnerability marketplace," in reference to the insecure code examples that get copied and pasted from the coding community site into apps because they're blessed with a green check mark as the accepted solution.
Podjarny's message to developers was to be humble about the possibility that your code may be insecure.
"With great power comes great responsibility," he said. "You're trustworthy but you're not infallible." ®