Fortify calls Apache tools insecure

In particular the paper says three Apache projects -- Ant, Maven, and Ivy (the latter is now in an Apache incubator) could make developers, and their employers, vulnerable.

All three projects are "external dependencies" which are loaded during a build process, Fortify wrote. A criminal could thus hijack the build and enable trojans or other programs future access.

While the vulnerability at this point is theoretical -- the main fix so far is an update to security coding rulepacks --  the alert highlights just how sophisticated criminal gangs are becoming in their efforts to hijack PCs for use by botnets, which are now the major security threat on the Internet. Once broken into smaller botnets to escape detection, they can be rented out to other criminals for as little as $1,000 per hour.

Botnets are not just being used for distributing spam or viruses anymore. They're also being used to blackmail sites with threats of DNS attacks. Some alarmists even see them determining the next President as politicians use them for dirty tricks campaigns.

Given all that the idea of someone hijacking your little corporate build by getting between your development team and its tools is not that far-fetched. And it's useful to know what is theoretically possible before you find out about vulnerabilities the hard way.