Build Application Firewalls Strengthen Defense Against Rising Supply Chain Attacks

The cybersecurity landscape is increasingly vulnerable to supply chain attacks, particularly those stemming from flaws introduced during the Continuous Integration/Continuous Deployment (CI/CD) build process. As organizations continue to rely on automated systems for software development, the need for robust defenses has never been more critical. One promising solution is the implementation of Build Application Firewalls (BAFs), which aim to mitigate these risks.

The SolarWinds Incident: A Wake-Up Call

The SolarWinds supply chain attack in 2020, which compromised approximately 18,000 organizations, serves as a stark reminder of the vulnerabilities inherent in software development. This incident highlighted a prevalent method of attack—compromising the development cycle of widely used tools. Despite the lessons learned, similar tactics have been employed repeatedly, demonstrating a failure to adequately fortify defenses.

In March 2026, a notable incident involved North Korean actors who hijacked an Axios npm library maintainer’s account, subsequently publishing two malicious versions of the library. Axios, a widely trusted tool, saw these versions downloaded by an estimated 3% of its user base before they were removed. The ultimate goal was to deploy a remote access trojan via CI/CD processes.

Recent Compromises in CI/CD Tools

In a separate but equally alarming event during the same timeframe, TeamPCP successfully compromised several widely used tools, including Aqua’s Trivy vulnerability scanner and BerriAI’s LiteLLM. On March 31, Mercor reported being among the many companies affected by a supply chain attack involving LiteLLM. In early April, the European Commission confirmed a significant data breach, losing 300GB of data due to an API key compromised in the Trivy attack.

The crux of the issue lies in the introduction of malicious code into the CI/CD application build process. This can occur without the developer’s knowledge, as most build systems automatically pull dependencies from repositories like npm or PyPI. Consequently, a compromised package or a malicious version can easily be integrated into the build.

Limitations of Current Scanning Solutions

While scanners are designed to monitor what enters the CI/CD pipeline and to check the final build, they are not foolproof. Two primary reasons for their shortcomings include the potential for malicious actions to appear benign—such as posting to GitHub, a platform generally considered safe—and the existence of unknown zero-day vulnerabilities that remain undetected.

This phenomenon can be termed the “Mythos effect.” The evolving capabilities of advanced AI models may expose numerous vulnerabilities that could be inserted into the build, enabling malicious actors to create stealthy exploits. Standard CI/CD scanners are often ill-equipped to identify these threats, particularly when it comes to the unauthorized distribution of secrets to seemingly acceptable IP addresses.

David Pulaski, co-founder of InvisiRisk, emphasizes the limitations of traditional scanning methods. He likens the scanner to a doorman who allows entry based on a seemingly valid invitation. However, once a vulnerability gains access, it can execute malicious actions, such as exfiltrating sensitive information.

The Role of Build Application Firewalls

InvisiRisk proposes a more proactive approach: inspecting every package entering the build process rather than merely scanning for vulnerabilities. The company has developed a Build Application Firewall (BAF) specifically for CI/CD environments. This firewall monitors activities within the build, providing a layer of oversight that traditional scanners lack.

While hardened runners are often employed to prevent malicious content from entering the build, they typically only monitor DNS traffic. As Pulaski notes, these systems do not perform deep packet inspection, which is crucial for identifying unauthorized data exfiltration. In contrast, a BAF can detect suspicious activities, regardless of whether a known vulnerability is present.

The BAF enforces policies during the build process, allowing users to define acceptable actions. Over time, the firewall can learn and suggest actions that may pose risks. Its AI capabilities provide detailed explanations for flagged activities, helping organizations understand potential threats.

Enhancing Software Bill of Materials (SBOM)

The implementation of BAFs also has implications for the broader software ecosystem. Software Bills of Materials (SBOMs) have become essential for successful software sales, particularly following Executive Order 14028, which mandates their use for software sold to the federal government. SBOMs aim to reduce supply chain vulnerabilities by providing transparency regarding the components of software applications.

However, the quality of existing SBOMs often falls short. Pulaski asserts that InvisiRisk’s SBOM tool is superior because it actively monitors the software being built, rather than relying on static lists and manifests. This approach ensures that organizations know the provenance and dependencies of every component, allowing them to halt any unauthorized actions.

Through this process, InvisiRisk’s TruSBOM tool generates a comprehensive and accurate SBOM, enhancing the security posture of organizations.

The rise of supply chain attacks necessitates a reevaluation of existing security measures. As cyber threats continue to evolve, the integration of Build Application Firewalls into CI/CD processes represents a critical step toward safeguarding software development and deployment.

Source: www.securityweek.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.