From reading this, it seems that one thing one can do is to be force separation of the build from testing, so the build never has access to binary code that can be injected.