Build-Time Attack Prevention

Imagine If…

You could ensure the security and integrity of your Product, Git and CI/CD pipeline to prevent SolarWinds-style attacks.

With Apiiro, you can…

Detect unauthorized code inserted at build-time. With a deep understanding of the source code, it is possible to determine whether or not it matches the relevant binary file (based on patent-pending technology). By the time the build process starts, Apiiro will have already learned the source code and developer experience using its risk-based AI engine. Once the Apiiro platform understands all of the code components, security controls, logical flows, data types, and their relations, Apiiro will analyze the binary by parsing and perform the following actions:

• Learn all possible logic flows and symbols
• Clean out all auto-generated compiler logic
• Adjust expected differences between runtime versions
• And more…

With the normalized entity relations from the binary, Apiiro runs graph comparison algorithms against the same data it learned from the source code.

Apiiro’s algorithm is also aware of all possible legitimate code changes during compilation (AOP frameworks, optimizations, etc.) and is able to distinguish only inserted malicious functionality, be it a small configuration change or full back door code.

Apiiro is connected across your SDLC, deeply understands your source code and binaries, and uses this knowledge for binary analysis in order to detect unauthorized code inserted at build-time with state-of-the-art and patent-pending reverse engineering technology.

The Challenges with Today’s Build-Time Binary Analyses

Taking binary code and restoring it to its original source code is a practically impossible task. Compilation is a complex, non-reversible action (smart reflection and other techniques can be effective but will rarely produce a “character perfect” recreation). A compiled binary is packed with information, optimizations, and metadata that are continuously changing. Even if you take the same source code and compile it again a minute later, the binaries won’t be identical. In addition to the non-readable binary challenge:

• The variety of CI/CD tools and approaches is extremely broad. These tools are used differently by every team (where each approach handles dependencies, common code, and additional resources in a unique way)
• The CI/CD pipeline is designed to be invisible to its users and is almost never inspected and you get a huge DevSecOps blind spot

The Bottom Line:

When Apiiro performs its build-time binary analysis at the end of every build, you get end-to-end validation that no unwanted code is injected into your product before shipping to customers.

Take Action

Start protecting yourself from build-time attacks: Book a demo today!