Threat Category: Supply Chain
ID: SPC-3
Threat Description: An adversary with access to software processes and tools within the development or software support environment can insert malicious software into components during development or update/maintenance.1
Threat Origin
Exploit Examples
XcodeGhost distributed a malicious version of Xcode (Apple’’s developer tools) that automatically includes malicious code in compiled iOS apps.
CVE Examples
Not Applicable
Possible Countermeasures
App developers should ensure that development tools are obtained from a trusted source (e.g. directly from the vendor).
EnterpriseOnly software digitally signed by a trusted developer should be used, and the integrity of software development installation packages should be verified prior to installation
Obtained software should be installed onto target operating systems in a known-good state (fresh install from verified installation media) in a test environment, which is then evaluated for any indicators of compromise prior to authorization of production use
References
J.F. Miller, “Supply Chain Attack Framework and Attack Patterns”, tech. report, MITRE, Dec. 2013; www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf ↩ ↩2
Internet Security Threat Report vol. 21, Symantec, 2016; http://docs.broadcom.com/doc/istr-16-april-volume-21-en [accessed 8/1/2022] ↩