CICD Security in the Software Supply Chain

The paper focuses on the security vulnerabilities within the Software Supply Chain (SSC) with a specific emphasis on the Social Engineering (SocE) tactics employed by adversaries to manipulate Software Engineers (SWEs) into delivering malicious software. It highlights the various tactics employed, including compromising developer accounts, device compromise, malicious pull requests, introducing malicious dependencies, injecting malicious code snippets, and manipulating maintainers' roles in open-source projects. The study outlines the impact of social engineering in Software Development Life Cycle (SDLC) steps and provides real-world incidents to illustrate the prevalence and consequences of SSC attacks.

The paper delves into the intricacies of the SSC, parallels the stages of a traditional supply chain with respect to software development, and sheds light on the key areas of vulnerability. The authors introduce the term "DevPhish" to highlight the vulnerability introduced by human psychology and emphasize the need to explore the interplay between technological susceptibilities and human manipulation within the SSC landscape.

Furthermore, the study conducted a systematic literature review to analyze existing literature, academic papers, industry reports, and real-world incidents related to SSC attacks. It categorizes the DevPhish techniques employed in SSC attacks into six main categories, with a focus on social engineering tactics.

The paper underscores the need for robust auditing mechanisms and updating threat models to address the DevPhish threats within the SSC. It also emphasizes the importance of making developers more aware of adversaries' capabilities and the need for custom prevention and detection mechanisms tailored to the workflows of software developers.

In conclusion, the study highlights the prevalence and impact of social engineering tactics in SSC attacks, providing insights into the complex landscape of software supply chain security. The authors encourage additional exploration and research in this domain, aiming to contribute to the development of effective security measures.