DevPhish: Exploring Social Engineering in Software Supply Chain Attacks on Developers
CoRR(2024)
摘要
The Software Supply Chain (SSC) has captured considerable attention from
attackers seeking to infiltrate systems and undermine organizations. There is
evidence indicating that adversaries utilize Social Engineering (SocE)
techniques specifically aimed at software developers. That is, they interact
with developers at critical steps in the Software Development Life Cycle
(SDLC), such as accessing Github repositories, incorporating code dependencies,
and obtaining approval for Pull Requests (PR) to introduce malicious code. This
paper aims to comprehensively explore the existing and emerging SocE tactics
employed by adversaries to trick Software Engineers (SWEs) into delivering
malicious software. By analyzing a diverse range of resources, which encompass
established academic literature and real-world incidents, the paper
systematically presents an overview of these manipulative strategies within the
realm of the SSC. Such insights prove highly beneficial for threat modeling and
security gap analysis.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要