Posted on by Insider Threatin
Developers often have full access to the source code of critical systems to do their job. This same access can also be used to insert logic bombs, sabotage the system, or siphon money from an organization. We have seen numerous cases of developers and system administrators exploiting parts of the software development lifecycle to commit their crimes. In this entry, we examine some recent cases involving developers who became malicious insiders.
In our repository of over 440 incidents of malicious insider activity, including crimes of IT sabotage, theft of IP, and fraud, about 4% involved source code modifications. The case summaries below outline a few of the recent cases we've encountered.
All of these cases demonstrate poor configuration management (CM) by the victim organizations. A strong CM process may have prevented these modifications before they were deployed into production. Additionally, if the organizations had a process in place to review code change logs and verify changes before releasing code into production, these incidents may have been prevented. Finally, mandatory code reviews might also have been effective in detecting unauthorized changes to critical code bases. An earlier article published by the CERT Insider Threat Center, "Spotlight On: Programming Techniques Used as an Insider Attack Tool," examined the use of programming techniques as an insider threat tool in more detail.
Upcoming Presentations / Workshops
CERT Insider Threat Center staff regularly present at conferences and hold workshops. The following are some of our upcoming events: