Internal software developer

From OWASP
Revision as of 13:19, 12 August 2006 by OWASP (Talk | contribs)

Jump to: navigation, search

This is a threat agent. To view all threat agents, please go to Threat Agent Category page.

Description

Internal software developers are members of the software development team with access to change the software and some aspects of the software configuration. In many organizations, these developers will have the ability to modify any part of the software baseline. Some organizations have strict controls about what internal software developers are allowed to access in production, but others are more lax, allowing developers to make production changes.

A malicious developer is one of the most difficult threats to deal with, as it is extremely difficult to identify malicious code. A talented attacker will make attacks look exactly like an inadvertent error for plausible deniability. In addition, malicious code may be obfuscated to prevent easy detection. Some techniques include spreading an attack throughout a software baseline, using inheritance and class loading tricks to hide calles, and even formatting tricks.

Examples

  • Java software developer
  • SQL developer
  • Mainframe developer

Related Attacks