According to Microsoft, Nobelium — the threat actor behind the successful Sunburst attack —targeted over 140 software and service providers in 2021, and likely breached 14 of them. Other sophisticated attackers, such as Lazarus Group and HoneyMyte, were also focused on the tampering of software from trusted providers to gain entry into target enterprises.
The problem at hand is that these new malicious methods are often invisible to traditional code reviews, especially if modifications were made to binaries during the final integration and release stage. There are a number of questions engineering and security teams are starting to ask now that software integration and delivery pipelines are directly targeted by attackers.
What new application security challenges will software engineering teams face?
How can software engineering evolve its security assessments going forward?
What role will the cybersecurity Executive Order and other new regulations play in that evolution?
What practical steps can be taken to identify tampering and protect downstream users?