Software Supply Chain Security: 1st Party Code Risks

After connecting with dozens of CISOs and CTOs, we've realized there’s a lot of diverging ideas around what software supply chain security even is. Even more so, the range of opinions around how to effectively protect against the unique and expanding kinds of risks is confusing to say the least. And while there are plenty of supply chain security standards around, and plenty of deeply technical supply chain security resources, there wasn't anything talking about it from a business risk level. So, we put together a resource for CISOs and CTOs that explores four categories of risks;

• The Developer
• 1st Party Code
• 3rd Party Code and
• The Development Infrastructure

Understanding 1st Party Code Risks

The code that your developers write directly have intentional and unintentional risks. The introduction of AI generated code adds a growing and unique layer of risk with many companies simply being blind to AI usage. 

Writing insecure code or designing insecure systems, unintentionally

Just as “all software has bugs”, all software will have security flaws, too. Various forms of testing in addition to threat modeling are needed to uncover these unintentional vulnerabilities introduced in the normal course of development. Think AppSec, Static or Dynamic Analysis (SAST/ DAST) or other forms of security testing to uncover these bugs and eliminate them.

Inserting malicious code into a project - intentionally

We stated earlier that there are several scenarios in which a developer account can be compromised (fake interview campaigns, malware) or in which there is an insider threat. Regardless of the origin event, the impact is that malicious code may be inserted in the project, perhaps in the form of a backdoor.

IP Theft

Compromised developer tokens can lead to source code theft. When a malicious insider discovers they have access to source code repositories that they shouldn’t, source code theft is often the result.

Credential Theft

We know that stolen secrets are often the cause of a security breach, and unfortunately, hardcoded secrets in the development process remain more common than they should. In 2023, close to 13M secrets were detected in public GitHub commits. At BoostSecurity, we can confirm that the same problem exists in private repositories.  

How AI Impacts 1st Party Code

The use of coding assistants/copilots certainly increases the volume of code being produced, and, at least for now, produces less secure code. In fact, a recent Stanford University study found “participants who had access to [the] AI assistant were more likely to introduce security vulnerabilities for the majority of programming tasks, yet were also more likely to rate their insecure answers as secure compared to those in our control group.” 

When it comes to use of LLMs, they lack context about the overall application causing code snippets to incorporate bold assumptions and they often lack system threat model thinking in their design. Proprietary IP can also be placed into LLM’s, which raises questions about whether this IP can be served to other users, which happened at Samsung in 2023. Taken together, higher volume of code + more security issues per line of code = more vulnerabilities overall.

Protecting Your Software Factory

First-party code—code written directly by developers—carries several significant security risks. These include unintentional vulnerabilities caused by insecure coding practices or flawed system design, which require security-focused testing such as threat modeling, static analysis (SAST), or dynamic analysis (DAST) to uncover. Intentional threats also exist, such as malicious code injection by compromised developers or insider threats. Other risks include intellectual property (IP) theft through unauthorized access to source code repositories and the widespread issue of credential theft, often due to hardcoded secrets in repositories—an issue affecting both public and private codebases.

The increasing use of AI coding assistants amplifies these risks. Although AI tools help generate more code, they tend to produce less secure code due to a lack of contextual awareness and threat modeling capabilities. The combination of accelerated code output and higher vulnerability rates creates a scenario where overall software risk is significantly increased.

Grab a copy of "Securing The Software Factory" and continue cataloguing your software supply chain risks. Whether it’s guarding against highly-targeted phishing attacks on developers, mitigating insider threats, or ensuring the security of third-party tools and services, knowing the vulnerable points gives you a clearer line of sight into where to act—and why it matters to the business.