Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Presentation

Insider Threats in the Software Development Life Cycle

  • November 2014
  • By Daniel L. Costa39651, Randall F. Trzeciak3507
  • This TSP Symposium 2014 presentation uncovers patterns from cases in which insiders exploited vulnerabilities in software development processes to harm their organizations.
  • Publisher: TSP Symposium
  • This presentation was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.
  • Abstract

    This TSP Symposium presentation explains that the software development life cycle presents a wide array of attack vectors for malicious insiders. The software produced, and its associated artifacts, are assets that an organization must protect. The data collected by or entered into software can be the target of theft, tampering, and other types of malicious activity. The business processes automated by software can be severely impacted when software is faulty or services are unavailable. Through the CERT Division's insider threat research, we have collected numerous cases in which insiders exploited vulnerabilities in software development processes to cause harm to their organizations. In this presentation, we discuss patterns and trends in these cases, focusing on similarities in attack techniques, targets, and motivations. We also present mitigation strategies for commonly exploited vulnerabilities and make the case for the creation of a secure software development process as a critical piece of a robust insider threat program.

  • Slides