F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.
Why would anyone have confidence in F5’s analysis?
I think it is more valuable for the attackers to have exfiltrated their code and analyze it for vulnerabilities.
Adding some malicious code to the BIG-IP software would require a long time for the attackers to persist in f5's systems undetected until they understood the current code. Not a zero percent chance, but pretty unlikely.
I mean, because it depends where the attack happened. Working with large companies like this in CI/CD there are a number of tools that the source code gets checked on, but not fed back into the system that could have been the source of the attack.
Adding some malicious code to the BIG-IP software would require a long time for the attackers to persist in f5's systems undetected until they understood the current code. Not a zero percent chance, but pretty unlikely.