Introduction
In this article, we will discuss the eighth item in the OWASP Top 10 for 2021 (OWASP releases a new list every four years), which is Software and Data Integrity Failures.
OWASP, short for the Open Web Application Security Project, is an open-source initiative focused on improving the security of web applications. The organization regularly conducts seminars, discussions, and educational programs for developers and security professionals.
So, what is the OWASP Top 10?
It is a classification of the most critical security risks commonly found in web applications, ranked from the highest to the lowest severity. Its primary purpose is to help developers better understand and mitigate these risks in the systems they build.
Software and Data Integrity Failures
What Are Software and Data Integrity Failures?
Software and Data Integrity Failures refer to weaknesses in an application that arise when the system does not properly validate the integrity of software or data being used.
This category includes vulnerabilities such as:
- CWE-829: Inclusion of Functionality from Untrusted Control Sphere
- CWE-494: Download of Code Without Integrity Check
- CWE-502: Deserialization of Untrusted Data
These failures often occur because the application, environment, or infrastructure does not adequately prevent unauthorized modifications. Examples include:
- Serialized objects or data structures that can be viewed or manipulated by attackers, making them vulnerable to insecure deserialization.
- Applications that rely on plugins, libraries, or modules from untrusted sources (repositories, mirrors, or CDNs).
- Insecure CI/CD pipelines that may allow unauthorized access, malicious code injection, or system compromise.
- Automated update mechanisms that download updates without verifying their integrity — enabling attackers to distribute malicious updates across all installations.
Practical
A08:2021 – Software and Data Integrity Failures — Explained
Mitigation
- Use signatures, checksums, or integrity verification mechanisms before executing or installing software components.
- Ensure that all libraries, dependencies, and plugins originate from trusted and verified sources.
- Implement allowlists for third-party software sources.
- Secure CI/CD pipelines with strict access controls and artifact validation.
- Prefer software packages, images, or binaries that include official hash verification.
References
- OWASP Cheat Sheet: Infrastructure as Code
- OWASP Cheat Sheet: Deserialization
- SAFECode Software Integrity Controls
- A ‘Worst Nightmare’ Cyberattack: The SolarWinds Hack
- CodeCov Bash Uploader Compromise
- Securing DevOps — Julien Vehent
Additional Related CWE Entries
CWE-345 Insufficient Verification of Data Authenticity
CWE-353 Missing Support for Integrity Check
CWE-494 Download of Code Without Integrity Check
CWE-502 Deserialization of Untrusted Data
CWE-565 Reliance on Cookies without Validation and Integrity Checking
CWE-784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-830 Inclusion of Web Functionality from an Untrusted Source
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes