Software supply chain attacks are rife – this is what developers need to watch out for | ITPro>
IT Pro – Steve Ranger
NIST has issued new guidance warning that software supply chain vulnerabilities are being increasingly exploited by threat actors like state-backed hackers and insiders.
Attacks are targeting various points in the SDLC like developer workstations, open source code repositories, containerization, and CI/CD pipelines.
This allows attackers to introduce malware, vulnerabilities or stolen credentials stealthily through legitimate software updates and distribution channels.
NIST outlines risks from phishing, malware, social engineering and physical access targeting developers and development environments.
Recommended mitigations include access controls, authentication, authorization, monitoring, patching, vulnerability scanning and physical security.
Securing CI/CD pipelines, dependencies and open source code is particularly challenging but important.
Experts comment that roles/authorizations and open source risk management need improvement, but comprehensive security cannot be rushed and will be disruptive.
The guidance emphasizes securing the entire SDLC, not just final applications, to prevent supply chain compromises.
Link: https://www.itpro.com/software/software-supply-chain-attacks-are-rife-this-is-what-developers-need-to-watch-out-for