How to Prevent Malicious Code through Application Security Testing

Malicious code, meaning any software or script that is intentionally designed to exploit vulnerabilities and cause harm is a growing challenge in application security.

You can think of malicious code as the mechanism that an attacker uses to craft cyber attacks. Threat actors use malicious code to infiltrate devices and networks, to take control of them, steal data from them or otherwise cause damage.

In this ultimate guide to malicious code, we will answer questions including, what is malicious code, and how can you prevent malicious code from putting your organization at risk.

We will also discuss examples of malicious code threats, and how AI code-generating tools and the use of open-source software repositories have made the issue of protecting against malicious code more important than ever. 

What is Malicious Code?

Let’s start with a clear definition of the term. What do we mean when we say malicious code? 

Malicious code describes any software or script which has been designed purposely to cause harm. By exploiting opportunities such as unpatched software, zero-day vulnerabilities or input validation flaws, malicious code can be injected into your applications. The results can be catastrophic for an organization, no matter the size or industry. 

Malicious code can compromise integrity via modifying application code or compromising configuration files, threaten confidentiality through data exfiltration or leakage via spyware, keyloggers or network eavesdropping, and disrupt availability by causing hardware or software to malfunction – or by launching attacks such as DDoS or ransomware. 

What Kind of Damage Can a Malicious Code Attack Cause?

Depending on the kind of code and the purpose of the attack, malicious code can impact a business in a number of ways. Let’s look at these consequences a little more closely. Remember, the business impact of malicious code attacks will vary, especially if the malicious code is sophisticated enough to propagate and spread to other devices or systems within a network. 

Business consequences of malicious code attacks include: 

Unauthorized access

When attackers gain access through software or Operating System (OS) vulnerabilities for example, they can control the device, steal information, or use remote access to launch additional attacks. 

Data manipulation

Malicious code can be designed specifically to steal, modify or exfiltrate data, including PII, financial details, and more. Data corruption can lead to data loss and system instability. 

Business disruption

As malicious code can consume resources, crash the system, lock users out of their data and create performance issues — it is common to see this kind of attack disrupting business as usual. 

Espionage
By secretly monitoring user activities, keystrokes, browsing behavior, microphone or camera activity and more, Nation State actors or hacktivists can gather intelligence. 

Physical damage to systems
Malicious code can cause damage to hardware as well as to related infrastructure, either by targeting connected systems, or by overheating processes through heavy resource usage. 

Erosion of customer trust
Customers regularly choose to leave vendors who have suffered a data breach, and this consumer trust is difficult to regain. Decreased customer confidence can lead to a lowered market share. 

Regulatory consequences
If regulators find that you have not protected your systems adequately and implemented the right processes, you may be liable for fines, penalties, and even legal and class action. 

Why is Malicious Code Such a Critical Issue for Application Security?

Compared with other kinds of cyber attacks, malicious code is often considered a more extreme threat, in part because it is often hidden inside the application code of a program that performs a legitimate action, making it harder to identify and eliminate. In application security teams for example, developers could accidentally fall victim to malicious code by downloading a seemingly useful open-source software (OSS) package which has been manipulated by an attacker. 

One reason that application security teams put malicious code at the top of the list of priorities is the way it works with stealth and persistence. By nature, many kinds of malicious code are designed to avoid detection, and to remain active within the network for long periods of time to complete their task. When a threat actor launches a DDoS attack, this is immediately obvious, while certain types of malicious code can operate under the radar, damaging systems over time or exfiltrating data without application security teams knowing. 

There are also many forms of malicious code to be aware of, so managing the risk is a tall order. The most common kinds of malicious code are trojans, viruses and worms, and malicious code also covers spyware, ransomware and rootkits, all which have their own goals and capabilities within your system. Malicious code can even impact more than one aspect of a system at the same time, stealing data while disrupting system availability for example, or opening an unauthorized backdoor for future attacks. 

One challenge of malicious code is the ability to automate the spread and scale of the threat. As malicious code is often injected via script, examples such as worms can be automated to replicate and spread across networks extremely quickly, even if a human doesn’t interact with it further. When malicious code is sophisticated in nature, it can bypass or even disable security controls, including antivirus tools, firewalls, and intrusion detection systems. 

Finally, the consequences of falling victim to malicious code are steep. Even once the initial infection has been mitigated, data may have been exfiltrated leading to identity theft or legal and regulatory damage, and customer trust may have been damaged too deeply to recover the business reputation. The financial cost of malicious code includes remediation costs, legal penalties, the cost of downtime, and more. 

Top 10 Malicious Code: Which of the Following is an Example of Malicious Code You Can Protect Against?

In application security, the most common kinds of malicious code include a variety of types of malware, each with their own specific characteristics and their own unique methods for compromising systems. Here are ten of the most prevalent forms of malicious code. 

1. Viruses

A virus is characterized by malicious code that attaches itself to legitimate applications or files, and then spreads by replication when those files are executed. There is usually a trigger that activates a virus, which could be an action by a user such as opening a file or launching an application. A virus payload can perform a wide range of harmful actions, including corrupting data, deleting files, stealing data such as credentials, or disrupting operations. Unlike many other forms of malicious code, a virus needs a host file or a program to spread. 

Examples of viruses are file infector viruses which spread when a specific program is run, macro viruses which use macros like MS Word and then spread when an infected document is opened, or boot sector viruses, which infect the boot sector of storage devices including hard drives or flash drives, and then activate when the system is rebooted. 

2. Worms

Unlike viruses, a worm can self-replicate, and therefore spread autonomously across a business network without the need for a specific host file or any human interaction. This can lead to widespread disruption, and be more difficult to isolate and eliminate than other kinds of malicious code risks. By exploiting security vulnerabilities or weaknesses in network configuration or human error, they can operate independently, consuming bandwidth, congesting the network, and causing application and system disruption. 

A worm can even scan for further vulnerable systems to spread itself more widely, often carrying a payload that performs malicious actions such as deleting files, launching DDoS attacks, or delivering additional malware including ransomware.

3. Trojans 

Trojans, or a Trojan horse is code that disguises itself as legitimate software or files and therefore can deceive a user into installing it intentionally. While trojans do not self-replicate, they can cause severe damage to application security. Once they have been installed, a trojan can install a backdoor or deploy Remote Administration Tools (RATs) to provide remote access to threat actors so they can manipulate applications or gain access to data. They can also disrupt operations through altering system settings or disabling security features, and steal and corrupt data. 

Similar to worms, trojans also often carry additional payloads, such as ransomware or spyware, compounding their ability to damage the business. They may use evasion techniques to avoid detection such as disabling antivirus or using rootkit capabilities. They can also exploit vulnerabilities to gain elevated privileges, execute code, or spread across any given network. 

4. Ransomware

By encrypting data and locking users out of their systems, ransomware threat actors use malicious code in the hopes of receiving a ransom payment to restore access. It is increasing in prevalence, and ransomware was involved in almost a quarter of all breaches in 2023. Ransomware can be delivered through phishing emails, attachments, or by exploiting software and application vulnerabilities. It’s usually characterized by encryption, lockout, and a ransom demand. 

Ransomware makes data inaccessible and therefore disrupts business operations, and causes financial losses through the price of recovery, operational disruption, and reputational damage. If sensitive data is exposed or shared, it can also lead to heavy regulatory penalties. 

5. Spyware

Malicious code doesn’t always mean causing business disruption or attracting attention. Spyware is a type of malicious code that’s designed to monitor and collect information from a device, while staying under the radar. It can collect personal information including credentials, browsing habits, financial information and more, and then send this back to the attacker. It can maintain persistence through modifying system settings, installing rootkits, or working through fake scheduled tasks. 

Examples of spyware include keylogging software which records every keystroke, adware which can track user behavior and compromise privacy,  system monitors which capture application usage and internet activity, and infostealers —  designed to capture credentials, financial details, or documents. 

6. Rootkits

Another kind of stealthy malicious code is rootkits, which are designed to give an attacker unauthorized access to a system, without detection. This kind of malicious code modifies the operating system, or uses software manipulation to conceal what they are doing. They are difficult to detect, and yet can grant attackers root-level access, so they can perform unauthorized actions with the highest privileges. Types of rootkits include: 

• User-mode, which operate at the application layer and intercept calls to APIs or system libraries to evade detection.
• Kernel-mode, which operate at the kernel level, manipulating the operating system and gaining high privileges. 
• Bootkits, known for infecting the MBR (master boot record), and loading before the OS itself. This makes detection and removal a real challenge. 
• Firmware, targeting hardware components such as network cards, hard drives or the system BIOS. In this case, even an OS reinstall may not fix the problem.
  

7. Botnets

Malicious code can lead to the download of a botnet, which are networks of compromised devices controlled by a bad actor. They can then conduct malicious activities at scale. Botnets are characterized by a large number of infected devices spread across different locations, which makes remediation more of a challenge. They will also have an attacker who has remote control over the bots using command and control servers, or P2P communications. 

Botnets can be coordinated to launch attacks at the same time, for example overwhelming websites and services through DDoS attacks, sending large volumes of spam, launching brute force attacks to gain unauthorized access, or distributing additional kinds of malware. This can exhaust resources, disrupt operations, and lead to data breaches and financial loss. 

8. Fileless malware

As fileless malware operates in memory, it is harder to detect than malware hidden in files stored on disk. It leverages existing legitimate software, processes and applications, and doesn’t create or modify any files on the disk, using trusted systems and processes such as PowerShell or Microsoft Office macros to avoid triggering security tools. 

Fileless malware can enter a system through vulnerabilities in browsers or plugins, or via phishing emails and drive-by downloads. It executes its payload directly in memory and can then download additional commands, set up scheduled tasks, or perform malicious actions and make lateral moves across a network. 

9. Cryptojacking

This kind of malicious code has a specific goal — to hijack computational resources from the system to mine cryptocurrency. This can degrade system performance via increased latency leading to poor user experience, increase operational costs through higher energy bills, and shorten the lifespan of hardware through overheating and excessive wear. Cryptojacking is a popular type of malicious code for attackers, as they can profit directly, rather than relying on an organization paying a ransom for example. 

Despite heavy resource use, cryptojacking can go unnoticed if attackers deploy techniques such as resource throttling to evade detection, or if the malicious code is designed to automatically terminate if high CPU usage has been detected, or when other resource-intensive activities are taking place. 

10. SQL Injection and Cross-Site Scripting (XSS) Payloads

These are two of the most common web application vulnerabilities, where malicious code is injected into applications so that threat actors can manipulate the application or access data. With a SQL injection (SQLi), malicious SQL code is placed in an application’s input fields, URL, or cookies, allowing the attacker to manipulate queries from the database. Data can be stolen or manipulated, attackers can bypass authentication mechanisms, and the database can be compromised entirely. 

Cross-site scripting (XSS) usually uses JavaScript to create and inject malicious scripts into a web application, which are then executed in the user’s browser. This technique exploits application vulnerabilities which allow untrustworthy data to be included in the output. Attackers can then steal cookies or tokens to impersonate legitimate users, steal credentials, modify content to mislead users, or distribute malware. 

What do Today’s Developers Need to Know About How to Prevent Malicious Code? 

One question that comes up a lot, is “who is responsible for managing the risks of malicious code?” A fast-paced software development environment means that developers may not want to take responsibility over security. They may want to focus on development without what they perceive as any hurdles to their velocity. However, today — security is on everyone’s job description, and the benefits of building a DevSecOps culture is clearer than ever. 

Let’s look at one example to start with. When it comes to application security, there is one key risk that’s growing in the way that developers work, and that’s the use of open-source software (OSS) packages for development. These are easy to download from repositories such as GitHub Packages, npm, PyPl and NuGet Gallery, and are simple to access, customize and adapt, and completely free of charge. It’s no surprise that developers are leaning on these kinds of code repositories more than ever, especially with the rise of AI-generated code that makes it quicker than ever to create and leverage packages. 

However, attackers are also leveraging the very same open-source ecosystem with nefarious intent, to inject malicious code into packages, libraries or dependencies. When developers download these packages without stringent safeguarding and security tools in place, they can add risk to their applications and their business environments. This can happen through: 

• Compromised packages or repositories: By gaining access to repositories or accounts, attackers can inject malicious code that turns software into malware. Developers download the compromised packages, and despite no negative intent — introduce malware into their applications. 
• Dependency issues: Package managers resolve dependencies internally according to their own rules, which can cause confusion. To leverage this, attackers create a malicious package with the same name as a legitimate internal package, and the PMS may pull the public version inadvertently. 
• Typosquatting: Just like the popular phishing technique, attackers can create malicious packages with a similar name to legitimate ones, and wait for developers to download them by mistake. These can be invisible to the naked eye, for example by using an uppercase i (I) instead of a lowercase L (l). 
• Pull requests: Without thorough review processes, a seemingly legitimate code change could pass by using a pull request to an open source project, despite it potentially containing malicious code. 
• Package installation. If package managers allow scripts to run automatically during installation, malicious threat actors can use these scripts to execute commands, or download additional malware. 
• Out of date packages: There are so many open source projects, and many are no longer maintained or updated, which makes them extremely vulnerable to attacker takeover and the lack of patches. 

Don’t forget… supply chain attacks

Remember, it’s not just the packages themselves to consider. Attackers can also compromise build tools, CI/CD pipelines, or other dependencies. This could impact the project as well as any downstream software which also relies on the same components. 

The Most Advanced Supply Chain Attack Known to Date – Backdoor in XZ Project, Linux distributions files compression tool:

How Can You Prevent VMalicious Code that Come from Third-party OSS Packages?

There are a number of best practices for developers when working with third-party open-source software repositories. They should always use official and reputable libraries and repositories, and never download from a source that is unverified or unknown to them. Checksums, signatures and integrity verification tools can help them to verify package integrity before they download. Remind developers to be particularly vigilant for any packages that run installation scripts automatically. There are also dependency locking tools such as package-lock.json in npm, which can make sure that you’re controlling which versions are used when updates are made. Of course, implementing early and continuous secure development practices can add a layer of protection and limit the impact of malicious code, including multi-factor authentication, isolated development environments, and the principle of least privilege. 

At Checkmarx, we know how crucial it is to allow developers to work with velocity in mind, and so we have developed a differentiated capability specifically for malicious package detection. Using advanced scanning technologies and the unparalleled expertise of our security researchers, our multi-layered package analysis methodologies have identified more than 385,000 malicious packages. 

Checkmarx One’s Malicious Package Protection includes: 

Detection: Whether it’s in manifest files, binaries or containers, the module detects malicious packages wherever they appear. As we use transitive dependency scanning — even if a malicious package is the dependency of a dependency, you’ll still see it in your scan results. 

Exploitability: Prioritization is a common challenge when solving vulnerabilities. Through our Sysdig integration, we can incorporate runtime data, so developers can prioritize and remediate based on runtime usage, focusing their resources on where malicious packages are present in an application. 

Customization: Smart reliability metrics allow you to see the trustworthiness of any package referenced in an application. You define your policies according to business context, whether that’s sending alerts, preventing pull requests, or breaking a build until the issue is fixed. 

Protecting Applications from Malicious Code is a Core Part of a Robust Application Security Solution

On top of our dedicated solution for malicious package protection, malicious code security is a core element of our application security platform, across a number of key solutions. This helps to strengthen the relationship between developers and security teams, and allows developers to be more empowered in making security fixes as part of their flow of work. Here are just a few examples from within Checkmarx One. 

Static Application Security Testing (SAST)

Checkmarx’ SAST tool identifies any vulnerabilities in source code before they are deployed, protecting against malicious code by allowing developers to detect and fix flaws as early as possible in the software development life cycle (SDLC). SAST analyzes the source code and identifies issues such as SQL injection, cross-site scripting, buffer overflows and more. With these discovered early, the cost and disruption involved in remediation are much lower than they would be if these were found later in the life cycle. SAST identifies potential backdoors or suspicious patterns that could signify malicious code, including vulnerabilities that are as a result of accidental or malicious inclusion by employees. 

As well as finding malicious code, SAST tools also allow teams to take a step back and support security at an earlier stage, helping to ensure malicious code never finds its initial entry point. This might be detecting insecure coding patterns, or security issues such as hard coded credentials or insufficient input validation. SAST can highlight improper access controls or overly permissive permissions, and can even uncover inadequate encryption. All of these features reduce the likelihood of the flaws and vulnerabilities that lead to malicious code injection in the first place. 

Key differentiators in Checkmarx One’ SAST solution include: 

• Deep and wide scans: Teams can visualize every vulnerability in detail, or zoom out and scan widely for only the most critical. 
• Presets: Template rulesets come out-of-the-box, to meet common use cases like compliance or industry-specific needs. 
• Remediation: Auto-remediation leverages Artificial Intelligence to automatically suggest code to fix vulnerabilities:
• ASPM: Application Security Posture Management ingests data from all tools into a single dashboard, providing guidance on risk reduction.
• Application-centric scanning: See how application flows interact with one another and build connections. 
• Reduced false positives and negatives: A customizable query language and the ability to fine-tune scanning for more accurate results. 
• Uncompiled code scanning: Save on time and resources by scanning just new or changed code, as well as scanning at the repository level. 
• Best-fix locations: Direct developers to make the fix themselves, dramatically reducing Mean-time-to-Respond (MTTR). 
• Real-time scanning: Instant feedback through real-time scanning in the Integrated Developer Environment (IDE).
• AI-code protection: Prevent vulnerabilities introduced by AI-generated code written by tools like GitHub Copilot.  
• Wide language support: We support 31 programming languages and counting, giving AppSec teams ultimate flexibility. 
• Strong integrations: To help with developer engagement and adoption, we integrate with the IDE, SCM solutions, CI/CD tools, and more. 

Software Composition Analysis and AI Security

Protecting against malicious code attacks is also a core tenet of Checkmarx’ Software Composition Analysis (SCA). SCA tools identify and mitigate the risk of vulnerabilities in open-source packages and libraries. As well as the risks we covered above with using OSS repositories, there are additional risks related to the growing use of AI, and we use a similar methodology to SCA to offer our AI Security, providing scanning for all AI-generated code. 

82.5% of developers now use Gen AI to write code, but this output cannot always be trusted. Risks include LLM hallucinations, where a model makes up information to close gaps, or makes assumptions which are not inherently valid or from a legitimate source. Best case scenario is that developers end up trying to download a package that doesn’t exist. However, in the worst case scenario — attackers upload a package with the “hallucinated” information, alongside malicious code, and developers download it with confidence. This is just one example of the risks of LLMs. 

Developers will continue to use LLMs, and they should! They are a powerful tool to help with velocity and productivity. However, our AI Security can add a layer of protection by offering real-time scanning of code generated by LLMs such as Github Copilot within their IDE. Just like how SCA operates with open-source components, AI-generated code scanning can identify any vulnerabilities, highlight hallucinations, and detect potential issues as the code is being generated in their own workflow.

Container Security

Containers are a useful way to package applications alongside all dependencies in a portable and standardized way. This means that software is always deployed consistently, but it can also mean that if container images, files or runtime environments have vulnerabilities — they are carried across, too. 

Scanning for malicious code in container security allows threats to be detected early before container images are deployed, reducing the risk of a cyber attack, enhancing the overall security posture of the business, and meeting compliance regulations for securing the software supply chain. 

Checkmarx One’ Container Security includes:

• Image vulnerability scanning: With a multi-layered approach, analyze each layer of an image, identifying any potential threats or existing vulnerabilities. 
• Static and dynamic analysis: Analyze container images and contents without execution, as well as in a controlled environment against runtime indicators of malicious activity. 
• Package inspection: Make sure that all packages that are within container images meet your best practices for security according to your business context. 
• Triage and prioritization: Look at vulnerabilities based on their severity and exploitability, with detailed information about the threat alongside steps for remediation. 
• Malicious package identification: Leverage a proprietary database of more than 385,000 malicious packages, with alerts for when packages are in active use. 
• Supply chain security: Add confidence that container images and their dependencies are sourced from trusted locations, verifying digital signatures and checksums. 
• Integration with CI/CD: Integrate with CI/CD pipelines so that malicious code scanning happens automatically when a build is updated, with automated policies to block or alert on finding vulnerabilities. 
• Recommendations: Access detailed scan results and analysis, as well as alternative base images that have a lower security risk profile where necessary. 

So, What is Malicious Code? Your Top Priority in Application Security

As a broad category that includes some of today’s most significant and persistent threats to application security, malicious code poses risks that extend beyond individual systems, and can devastate entire organizations and industry supply chains. The business impact of malicious code can be anything from a data breach and heavy financial losses, to operational disruption, regulatory action, and the erosion of customer trust. 

Malicious code doesn’t have one way of looking or behaving. It can exploit vulnerabilities at any stage of the software development life cycle, targeting weaknesses in the code itself, in dependencies, and in configurations and infrastructure. Threats like spyware or rootkits can lie dormant under the radar gathering intelligence, while others come storming in, guns blazing, via a ransomware demand or a DDoS onslaught. 

As attacks become more sophisticated, and the pressure increases on developers to launch products and features faster and with greater innovation, organizations need to implement robust security measures to protect their applications and their data. 

A single holistic application security platform like Checkmarx One plays a vital role in supporting developers in preventing the risks associated with malicious code. Instead of adding friction between AppSec and Dev teams, integrated security tools such as SAST, SCA and AI security within the IDE, and guided remediation and fixes means that developers can identify security flaws and vulnerabilities early in their cycle, and fix them autonomously before they enter production environments or become prohibitively expensive to solve. 

While SAST tools analyze source code and identify vulnerabilities like SQLi or XSS, SCA scans open-source libraries and dependencies, Container Security scans images, and AI Security manages AI-generated code. Together, these tools provide a complete view of the entire application’s security posture, so that risks are handed from end-to-end. On top of that, by integrating security directly into CI/CD pipelines, the velocity of the build can be retained, minimizing risk while allowing developers to shine. 

Significantly reducing your exposure to the risks of malicious code needs to be top of your list of priorities. With the right tools, processes and strategies —  organizations can stay two steps ahead, and build resilient and secure applications without slowing down the pace of innovation. Reduce the risk of malicious code in your DevSecOps environment with a single application security platform that covers the risk across your bases. Schedule a demo of Checkmarx One.