Difference between revisions of "Internal software developer"

From OWASP
Jump to: navigation, search
 
(Related Attacks)
Line 15: Line 15:
 
==Related Attacks==
 
==Related Attacks==
  
[[Logic/time bomb]]
+
* [[Logic/time bomb]]
[[Backdoor attack]]
+
* [[Backdoor attack]]
[[Salami attack]]
+
* [[Salami attack]]
  
 
[[Category:Attack]]
 
[[Category:Attack]]

Revision as of 13:19, 12 August 2006

This is a threat agent. To view all threat agents, please go to Threat Agent Category page.

Description

Internal software developers are members of the software development team with access to change the software and some aspects of the software configuration. In many organizations, these developers will have the ability to modify any part of the software baseline. Some organizations have strict controls about what internal software developers are allowed to access in production, but others are more lax, allowing developers to make production changes.

A malicious developer is one of the most difficult threats to deal with, as it is extremely difficult to identify malicious code. A talented attacker will make attacks look exactly like an inadvertent error for plausible deniability. In addition, malicious code may be obfuscated to prevent easy detection. Some techniques include spreading an attack throughout a software baseline, using inheritance and class loading tricks to hide calles, and even formatting tricks.

Examples

Java software developer SQL developer Mainframe developer

Related Attacks