This TSP Symposium presentation explains that the software development life cycle presents a wide array of attack
vectors for malicious insiders. The software produced, and its
associated artifacts, are assets that an organization must protect. The
data collected by or entered into software can be the target of theft,
tampering, and other types of malicious activity. The business processes
automated by software can be severely impacted when software is faulty
or services are unavailable. Through the CERT Division's insider threat
research, we have collected numerous cases in which insiders exploited
vulnerabilities in software development processes to cause harm to their
organizations. In this presentation, we discuss patterns and trends in
these cases, focusing on similarities in attack techniques, targets, and
motivations. We also present mitigation strategies for commonly
exploited vulnerabilities and make the case for the creation of a secure
software development process as a critical piece of a robust insider
threat program.