Attacking The Supply Chain: Developer

In 2021, we published an entry identifying the weak parts of the supply chain security. In the face of the surge in documented attacks, the entry gave a summarized overview of how malicious actors found gaps to abuse and take advantage of for possible gains and disruptions.

In this entry, we focus on one specific part of the supply chain: the developers themselves. To find a suitable attack model focusing on the developer, we must first understand who is considered the developer (and therefore the target), their workflow, and their daily tools. We also set the focus on how developers and their respective tools can be abused to compromise the supply chain, and how understanding these threat scenarios allows developers and the organizations to decide which tradeoffs to make to protect their projects and themselves.

Who is “The Developer”?

We can use a dictionary definition, stating a developer is a person that develops computer software. In our understanding, a person who writes code. This includes popular programming or scripting languages like Java, JavaScript, TypeScript, Go, Python, C/C++, and many other languages, including infrastructure or container deployment definitions such as Dockerfiles, Kubernetes, Terraform HCLs, and many others. From that description alone, the definition covers various parts of the IT industry, including every person writing code and security researchers, among many others.

Although the workflow itself may vary from developer to developer and from company to company, it will most likely fall into one of the following categories

Read more

Explore the site

More from the blog

Latest News