Home > CAPEC List > CAPEC-443: Malicious Logic Inserted Into Product Software by Authorized Developer (Version 2.11)  

CAPEC-443: Malicious Logic Inserted Into Product Software by Authorized Developer

 
Malicious Logic Inserted Into Product Software by Authorized Developer
Definition in a New Window Definition in a New Window
Attack Pattern ID: 443
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker uses their privileged position within an authorized software development organization to inject malicious logic into a codebase or product. Supply chain attacks from approved or trusted developers are extremely difficult to detect as it is generally assumed the quality control and internal security measures of these organizations conform to best practices. In some cases the malicious logic is intentional, embedded by a disgruntled employee, programmer, or individual with an otherwise hidden agenda. In other cases, the integrity of the product is compromised by accident (e.g. by lapse in the internal security of the organization that results in a product becoming contaminated). In other cases, the developer embeds a backdoor into a product to serve some purpose, such as product support, but discovery of the backdoor results in its malicious use by adversaries.

+ References
[R.443.1] [REF-31] Information Technology Laboratory. "Supply Chain Risk Management (SCRM)". National Institute of Standards and Technology (NIST). 2010.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2015-11-09Updated Related_Attack_PatternsInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017