Modern software is built like lego. You fetch `npm modules`, `docker images`, and `firmware updates` from the internet. If the source of these legos is compromised, you compromise yourself by installing them.
The SolarWinds Attack
Hackers compromised the build server of SolarWinds (IT management software).
They injected code into the official update.
18,000 companies (including the US Government) downloaded the "Project Orion" update, verified the digital signature (which was valid because the build server signed it), and installed a backdoor.
1. Insecure Deserialization (Repeated)
This category merges the old "Insecure Deserialization" with "Insecure Updates".
If your application accepts a serialized object from an untrusted source, it violates data integrity.
2. CI/CD Pipeline Attacks
Hackers target the pipeline (Jenkins/GitHub Actions).
If they can push code to `main` without review, or modify the build script, they own the production environment.
Dependabot: Tools that automatically scan dependencies for known vulnerabilities (CVEs).
3. Lack of Signing
Downloading software over HTTP without a GPG signature check.
An attacker performs a Man-in-the-Middle attack and swaps the `setup.exe` with a virus.
Protection
1. Code Signing: Sign all binaries.
2. Supply Chain Security: Use `npm audit`, `Snyk`, or `OWASP Dependency Check`.
3. Verify Checksums: Always check the SHA-256 hash of downloaded files.