Home > CAPEC List > CAPEC-446: Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency (Version 2.11)  

CAPEC-446: Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency

 
Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency
Definition in a New Window Definition in a New Window
Attack Pattern ID: 446
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker conducts supply chain attacks by the inclusion of insecure 3rd party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer. The result is a window of opportunity for exploiting the product or software until the insecure component is discovered. This supply chain threat can result in the installation of software that introduces widespread security vulnerabilities within an organization. One example could be the inclusion of an exploitable DLL (Dynamic Link Library) included within an antivirus technology. Because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing COTS software that comes pre-packaged with the components required for it to operate.

+ References
[R.446.1] [REF-31] Information Technology Laboratory. "Supply Chain Risk Management (SCRM)". National Institute of Standards and Technology (NIST). 2010.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017