Malicious code can evade common application testing strategies because it blends in with normal functionality and can remain dormant for long periods of time—even years.
While it’s hard to accept, your own software supply chain can be a source of malicious code. The culprits could be external development partners (offshore or onshore), seemingly trustworthy open source project contributors, or even disgruntled current or former employees who have access to code, administration, or control management. They may be hiding illegal activity or simply have a grudge.
It can be difficult to know who to trust to scan for and fix any malicious code. For example, if an internal developer is the culprit, they know the infected application inside and out, have the inside track on how your security team looks for software vulnerabilities, and are skilled at hiding the traffic that malicious code can generate. If you send a malicious code report to your development team, you may tip off the perpetrator, and they will learn to evade your detection techniques.